Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New Quotation - FE7191PO154.exe

Overview

General Information

Sample name:New Quotation - FE7191PO154.exe
Analysis ID:1467842
MD5:494d46b06be2512d5224dcbb309cc9c8
SHA1:8b2ff6a1c15a9b0e0f1700d449040d6177ed0456
SHA256:a9d81d4d219333b4aae2743cb1b2ddb1f13c6182c773bae002ad26db214a054a
Tags:exe
Infos:

Detection

FormBook
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • New Quotation - FE7191PO154.exe (PID: 4916 cmdline: "C:\Users\user\Desktop\New Quotation - FE7191PO154.exe" MD5: 494D46B06BE2512D5224DCBB309CC9C8)
    • svchost.exe (PID: 3576 cmdline: "C:\Users\user\Desktop\New Quotation - FE7191PO154.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2581820388.0000000000470000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2581820388.0000000000470000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2da53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17292:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.2582022123.0000000002CC0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2582022123.0000000002CC0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a610:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13e4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.470000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.470000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2cc53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x16492:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        2.2.svchost.exe.470000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.470000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2da53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17292:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\New Quotation - FE7191PO154.exe", CommandLine: "C:\Users\user\Desktop\New Quotation - FE7191PO154.exe", CommandLine|base64offset|contains: B-j, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\New Quotation - FE7191PO154.exe", ParentImage: C:\Users\user\Desktop\New Quotation - FE7191PO154.exe, ParentProcessId: 4916, ParentProcessName: New Quotation - FE7191PO154.exe, ProcessCommandLine: "C:\Users\user\Desktop\New Quotation - FE7191PO154.exe", ProcessId: 3576, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\New Quotation - FE7191PO154.exe", CommandLine: "C:\Users\user\Desktop\New Quotation - FE7191PO154.exe", CommandLine|base64offset|contains: B-j, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\New Quotation - FE7191PO154.exe", ParentImage: C:\Users\user\Desktop\New Quotation - FE7191PO154.exe, ParentProcessId: 4916, ParentProcessName: New Quotation - FE7191PO154.exe, ProcessCommandLine: "C:\Users\user\Desktop\New Quotation - FE7191PO154.exe", ProcessId: 3576, ProcessName: svchost.exe

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: New Quotation - FE7191PO154.exeReversingLabs: Detection: 50%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2581820388.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2582022123.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: New Quotation - FE7191PO154.exeJoe Sandbox ML: detected
          Source: New Quotation - FE7191PO154.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: New Quotation - FE7191PO154.exe, 00000000.00000003.2096404794.0000000003460000.00000004.00001000.00020000.00000000.sdmp, New Quotation - FE7191PO154.exe, 00000000.00000003.2095860304.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2582048600.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2250272838.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2582048600.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2248695787.0000000002B00000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: New Quotation - FE7191PO154.exe, 00000000.00000003.2096404794.0000000003460000.00000004.00001000.00020000.00000000.sdmp, New Quotation - FE7191PO154.exe, 00000000.00000003.2095860304.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2582048600.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2250272838.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2582048600.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2248695787.0000000002B00000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E14696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E14696
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E1C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00E1C9C7
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E1C93C FindFirstFileW,FindClose,0_2_00E1C93C
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E1F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E1F200
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E1F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E1F35D
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E1F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E1F65E
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E13A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E13A2B
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E13D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E13D4E
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E1BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E1BF27
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E225E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00E225E2
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E2425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00E2425A
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E24458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00E24458
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E2425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00E2425A
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E10219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00E10219
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E3CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00E3CDAC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2581820388.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2582022123.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.svchost.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2581820388.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2582022123.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: This is a third-party compiled AutoIt script.0_2_00DB3B4C
          Source: New Quotation - FE7191PO154.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: New Quotation - FE7191PO154.exe, 00000000.00000000.2087610787.0000000000E65000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d316814a-5
          Source: New Quotation - FE7191PO154.exe, 00000000.00000000.2087610787.0000000000E65000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_83e30acd-4
          Source: New Quotation - FE7191PO154.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_dbc0b98e-7
          Source: New Quotation - FE7191PO154.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_e5dde886-3
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: New Quotation - FE7191PO154.exe
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0049AFB3 NtClose,2_2_0049AFB3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00471A37 NtProtectVirtualMemory,2_2_00471A37
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72B60 NtClose,LdrInitializeThunk,2_2_02F72B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_02F72DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F735C0 NtCreateMutant,LdrInitializeThunk,2_2_02F735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F74340 NtSetContextThread,2_2_02F74340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F74650 NtSuspendThread,2_2_02F74650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72AF0 NtWriteFile,2_2_02F72AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72AD0 NtReadFile,2_2_02F72AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72AB0 NtWaitForSingleObject,2_2_02F72AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72BF0 NtAllocateVirtualMemory,2_2_02F72BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72BE0 NtQueryValueKey,2_2_02F72BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72BA0 NtEnumerateValueKey,2_2_02F72BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72B80 NtQueryInformationFile,2_2_02F72B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72EE0 NtQueueApcThread,2_2_02F72EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72EA0 NtAdjustPrivilegesToken,2_2_02F72EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72E80 NtReadVirtualMemory,2_2_02F72E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72E30 NtWriteVirtualMemory,2_2_02F72E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72FE0 NtCreateFile,2_2_02F72FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72FB0 NtResumeThread,2_2_02F72FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72FA0 NtQuerySection,2_2_02F72FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72F90 NtProtectVirtualMemory,2_2_02F72F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72F60 NtCreateProcessEx,2_2_02F72F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72F30 NtCreateSection,2_2_02F72F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72CF0 NtOpenProcess,2_2_02F72CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72CC0 NtQueryVirtualMemory,2_2_02F72CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72CA0 NtQueryInformationToken,2_2_02F72CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72C70 NtFreeVirtualMemory,2_2_02F72C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72C60 NtCreateKey,2_2_02F72C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72C00 NtQueryInformationProcess,2_2_02F72C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72DD0 NtDelayExecution,2_2_02F72DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72DB0 NtEnumerateKey,2_2_02F72DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72D30 NtUnmapViewOfSection,2_2_02F72D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72D10 NtMapViewOfSection,2_2_02F72D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72D00 NtSetInformationFile,2_2_02F72D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73090 NtSetValueKey,2_2_02F73090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73010 NtOpenDirectoryObject,2_2_02F73010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F739B0 NtGetContextThread,2_2_02F739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73D70 NtOpenThread,2_2_02F73D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73D10 NtOpenProcessToken,2_2_02F73D10
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E140B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00E140B1
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E08858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00E08858
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E1545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00E1545F
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DBE8000_2_00DBE800
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DDDBB50_2_00DDDBB5
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E3804A0_2_00E3804A
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DBE0600_2_00DBE060
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DC41400_2_00DC4140
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DD24050_2_00DD2405
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DE65220_2_00DE6522
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E306650_2_00E30665
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DE267E0_2_00DE267E
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DC68430_2_00DC6843
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DD283A0_2_00DD283A
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DE89DF0_2_00DE89DF
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E30AE20_2_00E30AE2
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DE6A940_2_00DE6A94
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DC8A0E0_2_00DC8A0E
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E0EB070_2_00E0EB07
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E18B130_2_00E18B13
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DDCD610_2_00DDCD61
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DE70060_2_00DE7006
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DC31900_2_00DC3190
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DC710E0_2_00DC710E
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DB12870_2_00DB1287
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DD33C70_2_00DD33C7
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DDF4190_2_00DDF419
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DD16C40_2_00DD16C4
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DC56800_2_00DC5680
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DD78D30_2_00DD78D3
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DC58C00_2_00DC58C0
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DD1BB80_2_00DD1BB8
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DE9D050_2_00DE9D05
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DBFE400_2_00DBFE40
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DD1FD00_2_00DD1FD0
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DDBFE60_2_00DDBFE6
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_030436200_2_03043620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0047E0232_2_0047E023
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004731B02_2_004731B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0049D3432_2_0049D343
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004745642_2_00474564
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0047FD7A2_2_0047FD7A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0047FD832_2_0047FD83
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004866032_2_00486603
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004727002_2_00472700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0047FFA32_2_0047FFA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC02C02_2_02FC02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE02742_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030003E62_2_030003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F02_2_02F4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA3522_2_02FFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030001AA2_2_030001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD20002_2_02FD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF81CC2_2_02FF81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF41A22_2_02FF41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC81582_2_02FC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA1182_2_02FDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F301002_2_02F30100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5C6E02_2_02F5C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3C7C02_2_02F3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F407702_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F647502_2_02F64750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEE4F62_2_02FEE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030005912_2_03000591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF24462_2_02FF2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE44202_2_02FE4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F405352_2_02F40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA802_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF6BD72_2_02FF6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFAB402_2_02FFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E8F02_2_02F6E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F268B82_2_02F268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300A9A62_2_0300A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4A8402_2_02F4A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F428402_2_02F42840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A02_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F569622_2_02F56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFEEDB2_2_02FFEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52E902_2_02F52E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFCE932_2_02FFCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40E592_2_02F40E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFEE262_2_02FFEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4CFE02_2_02F4CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32FC82_2_02F32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBEFA02_2_02FBEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB4F402_2_02FB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60F302_2_02F60F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE2F302_2_02FE2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F82F282_2_02F82F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30CF22_2_02F30CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0CB52_2_02FE0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40C002_2_02F40C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3ADE02_2_02F3ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F58DBF2_2_02F58DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDCD1F2_2_02FDCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4AD002_2_02F4AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE12ED2_2_02FE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5B2C02_2_02F5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F452A02_2_02F452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F8739A2_2_02F8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2D34C2_2_02F2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF132D2_2_02FF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70E92_2_02FF70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFF0E02_2_02FFF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEF0CC2_2_02FEF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F470C02_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300B16B2_2_0300B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4B1B02_2_02F4B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2F1722_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7516C2_2_02F7516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF16CC2_2_02FF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F856302_2_02F85630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFF7B02_2_02FFF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F314602_2_02F31460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFF43F2_2_02FFF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030095C32_2_030095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDD5B02_2_02FDD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF75712_2_02FF7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEDAC62_2_02FEDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDDAAC2_2_02FDDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F85AA02_2_02F85AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE1AA32_2_02FE1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB3A6C2_2_02FB3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFA492_2_02FFFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF7A462_2_02FF7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB5BF02_2_02FB5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7DBF92_2_02F7DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5FB802_2_02F5FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFB762_2_02FFFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F438E02_2_02F438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAD8002_2_02FAD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F499502_2_02F49950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5B9502_2_02F5B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD59102_2_02FD5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F49EB02_2_02F49EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F03FD22_2_02F03FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F03FD52_2_02F03FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFFB12_2_02FFFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F41F922_2_02F41F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFF092_2_02FFFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFCF22_2_02FFFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB9C322_2_02FB9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5FDC02_2_02F5FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF7D732_2_02FF7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF1D5A2_2_02FF1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F43D402_2_02F43D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FAEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FBF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F75130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F87E54 appears 111 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F2B970 appears 280 times
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: String function: 00DB7F41 appears 35 times
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: String function: 00DD0D27 appears 70 times
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: String function: 00DD8B40 appears 42 times
          Source: New Quotation - FE7191PO154.exe, 00000000.00000003.2096733682.0000000003583000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs New Quotation - FE7191PO154.exe
          Source: New Quotation - FE7191PO154.exe, 00000000.00000003.2097766264.000000000372D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs New Quotation - FE7191PO154.exe
          Source: New Quotation - FE7191PO154.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 2.2.svchost.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2581820388.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2582022123.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal92.troj.evad.winEXE@3/4@0/0
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E1A2D5 GetLastError,FormatMessageW,0_2_00E1A2D5
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E08713 AdjustTokenPrivileges,CloseHandle,0_2_00E08713
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E08CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00E08CC3
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E1B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00E1B59E
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E2F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00E2F121
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E286D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00E286D0
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DB4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00DB4FE9
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeFile created: C:\Users\user\AppData\Local\Temp\aut10C0.tmpJump to behavior
          Source: New Quotation - FE7191PO154.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: New Quotation - FE7191PO154.exeReversingLabs: Detection: 50%
          Source: unknownProcess created: C:\Users\user\Desktop\New Quotation - FE7191PO154.exe "C:\Users\user\Desktop\New Quotation - FE7191PO154.exe"
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\New Quotation - FE7191PO154.exe"
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\New Quotation - FE7191PO154.exe"Jump to behavior
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeSection loaded: ntmarta.dllJump to behavior
          Source: New Quotation - FE7191PO154.exeStatic file information: File size 1173504 > 1048576
          Source: New Quotation - FE7191PO154.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: New Quotation - FE7191PO154.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: New Quotation - FE7191PO154.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: New Quotation - FE7191PO154.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: New Quotation - FE7191PO154.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: New Quotation - FE7191PO154.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: New Quotation - FE7191PO154.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: New Quotation - FE7191PO154.exe, 00000000.00000003.2096404794.0000000003460000.00000004.00001000.00020000.00000000.sdmp, New Quotation - FE7191PO154.exe, 00000000.00000003.2095860304.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2582048600.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2250272838.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2582048600.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2248695787.0000000002B00000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: New Quotation - FE7191PO154.exe, 00000000.00000003.2096404794.0000000003460000.00000004.00001000.00020000.00000000.sdmp, New Quotation - FE7191PO154.exe, 00000000.00000003.2095860304.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2582048600.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2250272838.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2582048600.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2248695787.0000000002B00000.00000004.00000020.00020000.00000000.sdmp
          Source: New Quotation - FE7191PO154.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: New Quotation - FE7191PO154.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: New Quotation - FE7191PO154.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: New Quotation - FE7191PO154.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: New Quotation - FE7191PO154.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E2C304 LoadLibraryA,GetProcAddress,0_2_00E2C304
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DD8B85 push ecx; ret 0_2_00DD8B98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00482173 push ecx; retf 2_2_00482174
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0047A90C push es; iretd 2_2_0047A913
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0047D13F push esp; iretd 2_2_0047D14C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00473440 push eax; ret 2_2_00473442
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00474FFA push 00000046h; retf 2_2_00474FFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F0225F pushad ; ret 2_2_02F027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F027FA pushad ; ret 2_2_02F027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F0283D push eax; iretd 2_2_02F02858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F309AD push ecx; mov dword ptr [esp], ecx2_2_02F309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F01368 push eax; iretd 2_2_02F01369
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DB4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00DB4A35
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E355FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00E355FD
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DD33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DD33C7
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeAPI/Special instruction interceptor: Address: 3043244
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7096E rdtsc 2_2_02F7096E
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-99683
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-98266
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeAPI coverage: 4.7 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 6336Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E14696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E14696
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E1C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00E1C9C7
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E1C93C FindFirstFileW,FindClose,0_2_00E1C93C
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E1F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E1F200
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E1F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E1F35D
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E1F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E1F65E
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E13A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E13A2B
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E13D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E13D4E
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E1BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E1BF27
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DB4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00DB4AFE
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeAPI call chain: ExitProcess graph end nodegraph_0-98400
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeAPI call chain: ExitProcess graph end nodegraph_0-98466
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7096E rdtsc 2_2_02F7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004875B3 LdrLoadDll,2_2_004875B3
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E241FD BlockInput,0_2_00E241FD
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DB3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00DB3B4C
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DE5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00DE5CCC
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E2C304 LoadLibraryA,GetProcAddress,0_2_00E2C304
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_03043510 mov eax, dword ptr fs:[00000030h]0_2_03043510
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_030434B0 mov eax, dword ptr fs:[00000030h]0_2_030434B0
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_03041E70 mov eax, dword ptr fs:[00000030h]0_2_03041E70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]2_2_02F402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]2_2_02F402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]2_2_02F402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03008324 mov eax, dword ptr fs:[00000030h]2_2_03008324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03008324 mov ecx, dword ptr fs:[00000030h]2_2_03008324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03008324 mov eax, dword ptr fs:[00000030h]2_2_03008324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03008324 mov eax, dword ptr fs:[00000030h]2_2_03008324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300634F mov eax, dword ptr fs:[00000030h]2_2_0300634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov ecx, dword ptr fs:[00000030h]2_2_02FC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E284 mov eax, dword ptr fs:[00000030h]2_2_02F6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E284 mov eax, dword ptr fs:[00000030h]2_2_02F6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]2_2_02FB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]2_2_02FB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]2_2_02FB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]2_2_02F34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]2_2_02F34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]2_2_02F34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2826B mov eax, dword ptr fs:[00000030h]2_2_02F2826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A250 mov eax, dword ptr fs:[00000030h]2_2_02F2A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36259 mov eax, dword ptr fs:[00000030h]2_2_02F36259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA250 mov eax, dword ptr fs:[00000030h]2_2_02FEA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA250 mov eax, dword ptr fs:[00000030h]2_2_02FEA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB8243 mov eax, dword ptr fs:[00000030h]2_2_02FB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB8243 mov ecx, dword ptr fs:[00000030h]2_2_02FB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2823B mov eax, dword ptr fs:[00000030h]2_2_02F2823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02F4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02F4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02F4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F663FF mov eax, dword ptr fs:[00000030h]2_2_02F663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]2_2_02FDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]2_2_02FDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov ecx, dword ptr fs:[00000030h]2_2_02FDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]2_2_02FDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD43D4 mov eax, dword ptr fs:[00000030h]2_2_02FD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD43D4 mov eax, dword ptr fs:[00000030h]2_2_02FD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEC3CD mov eax, dword ptr fs:[00000030h]2_2_02FEC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB63C0 mov eax, dword ptr fs:[00000030h]2_2_02FB63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300625D mov eax, dword ptr fs:[00000030h]2_2_0300625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]2_2_02F28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]2_2_02F28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]2_2_02F28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]2_2_02F2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]2_2_02F2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]2_2_02F2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5438F mov eax, dword ptr fs:[00000030h]2_2_02F5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5438F mov eax, dword ptr fs:[00000030h]2_2_02F5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD437C mov eax, dword ptr fs:[00000030h]2_2_02FD437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov ecx, dword ptr fs:[00000030h]2_2_02FB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA352 mov eax, dword ptr fs:[00000030h]2_2_02FFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD8350 mov ecx, dword ptr fs:[00000030h]2_2_02FD8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030062D6 mov eax, dword ptr fs:[00000030h]2_2_030062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C310 mov ecx, dword ptr fs:[00000030h]2_2_02F2C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50310 mov ecx, dword ptr fs:[00000030h]2_2_02F50310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]2_2_02F6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]2_2_02F6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]2_2_02F6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C0F0 mov eax, dword ptr fs:[00000030h]2_2_02F2C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F720F0 mov ecx, dword ptr fs:[00000030h]2_2_02F720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_02F2A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F380E9 mov eax, dword ptr fs:[00000030h]2_2_02F380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB60E0 mov eax, dword ptr fs:[00000030h]2_2_02FB60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB20DE mov eax, dword ptr fs:[00000030h]2_2_02FB20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF60B8 mov eax, dword ptr fs:[00000030h]2_2_02FF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF60B8 mov ecx, dword ptr fs:[00000030h]2_2_02FF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F280A0 mov eax, dword ptr fs:[00000030h]2_2_02F280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC80A8 mov eax, dword ptr fs:[00000030h]2_2_02FC80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004164 mov eax, dword ptr fs:[00000030h]2_2_03004164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004164 mov eax, dword ptr fs:[00000030h]2_2_03004164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3208A mov eax, dword ptr fs:[00000030h]2_2_02F3208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5C073 mov eax, dword ptr fs:[00000030h]2_2_02F5C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32050 mov eax, dword ptr fs:[00000030h]2_2_02F32050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6050 mov eax, dword ptr fs:[00000030h]2_2_02FB6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6030 mov eax, dword ptr fs:[00000030h]2_2_02FC6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A020 mov eax, dword ptr fs:[00000030h]2_2_02F2A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C020 mov eax, dword ptr fs:[00000030h]2_2_02F2C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030061E5 mov eax, dword ptr fs:[00000030h]2_2_030061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB4000 mov ecx, dword ptr fs:[00000030h]2_2_02FB4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F601F8 mov eax, dword ptr fs:[00000030h]2_2_02F601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_02FAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF61C3 mov eax, dword ptr fs:[00000030h]2_2_02FF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF61C3 mov eax, dword ptr fs:[00000030h]2_2_02FF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]2_2_02F2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]2_2_02F2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]2_2_02F2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F70185 mov eax, dword ptr fs:[00000030h]2_2_02F70185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEC188 mov eax, dword ptr fs:[00000030h]2_2_02FEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEC188 mov eax, dword ptr fs:[00000030h]2_2_02FEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4180 mov eax, dword ptr fs:[00000030h]2_2_02FD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4180 mov eax, dword ptr fs:[00000030h]2_2_02FD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C156 mov eax, dword ptr fs:[00000030h]2_2_02F2C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC8158 mov eax, dword ptr fs:[00000030h]2_2_02FC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36154 mov eax, dword ptr fs:[00000030h]2_2_02F36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36154 mov eax, dword ptr fs:[00000030h]2_2_02F36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov ecx, dword ptr fs:[00000030h]2_2_02FC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60124 mov eax, dword ptr fs:[00000030h]2_2_02F60124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov ecx, dword ptr fs:[00000030h]2_2_02FDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]2_2_02FDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]2_2_02FDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]2_2_02FDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF0115 mov eax, dword ptr fs:[00000030h]2_2_02FF0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB06F1 mov eax, dword ptr fs:[00000030h]2_2_02FB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB06F1 mov eax, dword ptr fs:[00000030h]2_2_02FB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_02F6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A6C7 mov eax, dword ptr fs:[00000030h]2_2_02F6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F666B0 mov eax, dword ptr fs:[00000030h]2_2_02F666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C6A6 mov eax, dword ptr fs:[00000030h]2_2_02F6C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34690 mov eax, dword ptr fs:[00000030h]2_2_02F34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34690 mov eax, dword ptr fs:[00000030h]2_2_02F34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F62674 mov eax, dword ptr fs:[00000030h]2_2_02F62674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF866E mov eax, dword ptr fs:[00000030h]2_2_02FF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF866E mov eax, dword ptr fs:[00000030h]2_2_02FF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A660 mov eax, dword ptr fs:[00000030h]2_2_02F6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A660 mov eax, dword ptr fs:[00000030h]2_2_02F6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4C640 mov eax, dword ptr fs:[00000030h]2_2_02F4C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E627 mov eax, dword ptr fs:[00000030h]2_2_02F4E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F66620 mov eax, dword ptr fs:[00000030h]2_2_02F66620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68620 mov eax, dword ptr fs:[00000030h]2_2_02F68620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3262C mov eax, dword ptr fs:[00000030h]2_2_02F3262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72619 mov eax, dword ptr fs:[00000030h]2_2_02F72619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE609 mov eax, dword ptr fs:[00000030h]2_2_02FAE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F347FB mov eax, dword ptr fs:[00000030h]2_2_02F347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F347FB mov eax, dword ptr fs:[00000030h]2_2_02F347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]2_2_02F527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]2_2_02F527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]2_2_02F527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE7E1 mov eax, dword ptr fs:[00000030h]2_2_02FBE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3C7C0 mov eax, dword ptr fs:[00000030h]2_2_02F3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB07C3 mov eax, dword ptr fs:[00000030h]2_2_02FB07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F307AF mov eax, dword ptr fs:[00000030h]2_2_02F307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE47A0 mov eax, dword ptr fs:[00000030h]2_2_02FE47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD678E mov eax, dword ptr fs:[00000030h]2_2_02FD678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38770 mov eax, dword ptr fs:[00000030h]2_2_02F38770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30750 mov eax, dword ptr fs:[00000030h]2_2_02F30750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE75D mov eax, dword ptr fs:[00000030h]2_2_02FBE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72750 mov eax, dword ptr fs:[00000030h]2_2_02F72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72750 mov eax, dword ptr fs:[00000030h]2_2_02F72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB4755 mov eax, dword ptr fs:[00000030h]2_2_02FB4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6674D mov esi, dword ptr fs:[00000030h]2_2_02F6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6674D mov eax, dword ptr fs:[00000030h]2_2_02F6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6674D mov eax, dword ptr fs:[00000030h]2_2_02F6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6273C mov eax, dword ptr fs:[00000030h]2_2_02F6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6273C mov ecx, dword ptr fs:[00000030h]2_2_02F6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6273C mov eax, dword ptr fs:[00000030h]2_2_02F6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAC730 mov eax, dword ptr fs:[00000030h]2_2_02FAC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C720 mov eax, dword ptr fs:[00000030h]2_2_02F6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C720 mov eax, dword ptr fs:[00000030h]2_2_02F6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30710 mov eax, dword ptr fs:[00000030h]2_2_02F30710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60710 mov eax, dword ptr fs:[00000030h]2_2_02F60710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C700 mov eax, dword ptr fs:[00000030h]2_2_02F6C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F304E5 mov ecx, dword ptr fs:[00000030h]2_2_02F304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F644B0 mov ecx, dword ptr fs:[00000030h]2_2_02F644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBA4B0 mov eax, dword ptr fs:[00000030h]2_2_02FBA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F364AB mov eax, dword ptr fs:[00000030h]2_2_02F364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA49A mov eax, dword ptr fs:[00000030h]2_2_02FEA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]2_2_02F5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]2_2_02F5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]2_2_02F5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC460 mov ecx, dword ptr fs:[00000030h]2_2_02FBC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA456 mov eax, dword ptr fs:[00000030h]2_2_02FEA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2645D mov eax, dword ptr fs:[00000030h]2_2_02F2645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5245A mov eax, dword ptr fs:[00000030h]2_2_02F5245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A430 mov eax, dword ptr fs:[00000030h]2_2_02F6A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]2_2_02F2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]2_2_02F2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]2_2_02F2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C427 mov eax, dword ptr fs:[00000030h]2_2_02F2C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]2_2_02F68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]2_2_02F68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]2_2_02F68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F325E0 mov eax, dword ptr fs:[00000030h]2_2_02F325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C5ED mov eax, dword ptr fs:[00000030h]2_2_02F6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C5ED mov eax, dword ptr fs:[00000030h]2_2_02F6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F365D0 mov eax, dword ptr fs:[00000030h]2_2_02F365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]2_2_02F6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]2_2_02F6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E5CF mov eax, dword ptr fs:[00000030h]2_2_02F6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E5CF mov eax, dword ptr fs:[00000030h]2_2_02F6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F545B1 mov eax, dword ptr fs:[00000030h]2_2_02F545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F545B1 mov eax, dword ptr fs:[00000030h]2_2_02F545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]2_2_02FB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]2_2_02FB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]2_2_02FB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E59C mov eax, dword ptr fs:[00000030h]2_2_02F6E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32582 mov eax, dword ptr fs:[00000030h]2_2_02F32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32582 mov ecx, dword ptr fs:[00000030h]2_2_02F32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F64588 mov eax, dword ptr fs:[00000030h]2_2_02F64588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]2_2_02F6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]2_2_02F6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]2_2_02F6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38550 mov eax, dword ptr fs:[00000030h]2_2_02F38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38550 mov eax, dword ptr fs:[00000030h]2_2_02F38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6500 mov eax, dword ptr fs:[00000030h]2_2_02FC6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004B00 mov eax, dword ptr fs:[00000030h]2_2_03004B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6AAEE mov eax, dword ptr fs:[00000030h]2_2_02F6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6AAEE mov eax, dword ptr fs:[00000030h]2_2_02F6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30AD0 mov eax, dword ptr fs:[00000030h]2_2_02F30AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F64AD0 mov eax, dword ptr fs:[00000030h]2_2_02F64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F64AD0 mov eax, dword ptr fs:[00000030h]2_2_02F64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]2_2_02F86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]2_2_02F86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]2_2_02F86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38AA0 mov eax, dword ptr fs:[00000030h]2_2_02F38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38AA0 mov eax, dword ptr fs:[00000030h]2_2_02F38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h]2_2_03002B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h]2_2_03002B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h]2_2_03002B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h]2_2_03002B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86AA4 mov eax, dword ptr fs:[00000030h]2_2_02F86AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68A90 mov edx, dword ptr fs:[00000030h]2_2_02F68A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FACA72 mov eax, dword ptr fs:[00000030h]2_2_02FACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FACA72 mov eax, dword ptr fs:[00000030h]2_2_02FACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]2_2_02F6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]2_2_02F6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]2_2_02F6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDEA60 mov eax, dword ptr fs:[00000030h]2_2_02FDEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40A5B mov eax, dword ptr fs:[00000030h]2_2_02F40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40A5B mov eax, dword ptr fs:[00000030h]2_2_02F40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F54A35 mov eax, dword ptr fs:[00000030h]2_2_02F54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F54A35 mov eax, dword ptr fs:[00000030h]2_2_02F54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA38 mov eax, dword ptr fs:[00000030h]2_2_02F6CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA24 mov eax, dword ptr fs:[00000030h]2_2_02F6CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EA2E mov eax, dword ptr fs:[00000030h]2_2_02F5EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBCA11 mov eax, dword ptr fs:[00000030h]2_2_02FBCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]2_2_02F38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]2_2_02F38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]2_2_02F38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EBFC mov eax, dword ptr fs:[00000030h]2_2_02F5EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBCBF0 mov eax, dword ptr fs:[00000030h]2_2_02FBCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDEBD0 mov eax, dword ptr fs:[00000030h]2_2_02FDEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]2_2_02F50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]2_2_02F50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]2_2_02F50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]2_2_02F30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]2_2_02F30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]2_2_02F30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40BBE mov eax, dword ptr fs:[00000030h]2_2_02F40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40BBE mov eax, dword ptr fs:[00000030h]2_2_02F40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]2_2_02FE4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]2_2_02FE4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004A80 mov eax, dword ptr fs:[00000030h]2_2_03004A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2CB7E mov eax, dword ptr fs:[00000030h]2_2_02F2CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28B50 mov eax, dword ptr fs:[00000030h]2_2_02F28B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDEB50 mov eax, dword ptr fs:[00000030h]2_2_02FDEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4B4B mov eax, dword ptr fs:[00000030h]2_2_02FE4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4B4B mov eax, dword ptr fs:[00000030h]2_2_02FE4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6B40 mov eax, dword ptr fs:[00000030h]2_2_02FC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6B40 mov eax, dword ptr fs:[00000030h]2_2_02FC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFAB40 mov eax, dword ptr fs:[00000030h]2_2_02FFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD8B42 mov eax, dword ptr fs:[00000030h]2_2_02FD8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EB20 mov eax, dword ptr fs:[00000030h]2_2_02F5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EB20 mov eax, dword ptr fs:[00000030h]2_2_02F5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF8B28 mov eax, dword ptr fs:[00000030h]2_2_02FF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF8B28 mov eax, dword ptr fs:[00000030h]2_2_02FF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]2_2_02F6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]2_2_02F6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA8E4 mov eax, dword ptr fs:[00000030h]2_2_02FFA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E8C0 mov eax, dword ptr fs:[00000030h]2_2_02F5E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004940 mov eax, dword ptr fs:[00000030h]2_2_03004940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC89D mov eax, dword ptr fs:[00000030h]2_2_02FBC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30887 mov eax, dword ptr fs:[00000030h]2_2_02F30887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE872 mov eax, dword ptr fs:[00000030h]2_2_02FBE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE872 mov eax, dword ptr fs:[00000030h]2_2_02FBE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6870 mov eax, dword ptr fs:[00000030h]2_2_02FC6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6870 mov eax, dword ptr fs:[00000030h]2_2_02FC6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60854 mov eax, dword ptr fs:[00000030h]2_2_02F60854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34859 mov eax, dword ptr fs:[00000030h]2_2_02F34859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34859 mov eax, dword ptr fs:[00000030h]2_2_02F34859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F42840 mov ecx, dword ptr fs:[00000030h]2_2_02F42840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov ecx, dword ptr fs:[00000030h]2_2_02F52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A830 mov eax, dword ptr fs:[00000030h]2_2_02F6A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD483A mov eax, dword ptr fs:[00000030h]2_2_02FD483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD483A mov eax, dword ptr fs:[00000030h]2_2_02FD483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC810 mov eax, dword ptr fs:[00000030h]2_2_02FBC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F629F9 mov eax, dword ptr fs:[00000030h]2_2_02F629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F629F9 mov eax, dword ptr fs:[00000030h]2_2_02F629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE9E0 mov eax, dword ptr fs:[00000030h]2_2_02FBE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F649D0 mov eax, dword ptr fs:[00000030h]2_2_02F649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA9D3 mov eax, dword ptr fs:[00000030h]2_2_02FFA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC69C0 mov eax, dword ptr fs:[00000030h]2_2_02FC69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB89B3 mov esi, dword ptr fs:[00000030h]2_2_02FB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB89B3 mov eax, dword ptr fs:[00000030h]2_2_02FB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB89B3 mov eax, dword ptr fs:[00000030h]2_2_02FB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F309AD mov eax, dword ptr fs:[00000030h]2_2_02F309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F309AD mov eax, dword ptr fs:[00000030h]2_2_02F309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4978 mov eax, dword ptr fs:[00000030h]2_2_02FD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4978 mov eax, dword ptr fs:[00000030h]2_2_02FD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC97C mov eax, dword ptr fs:[00000030h]2_2_02FBC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]2_2_02F56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]2_2_02F56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]2_2_02F56962
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E081F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00E081F7
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DDA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00DDA395
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DDA364 SetUnhandledExceptionFilter,0_2_00DDA364

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 393008Jump to behavior
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E08C93 LogonUserW,0_2_00E08C93
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DB3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00DB3B4C
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DB4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00DB4A35
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E14EF5 mouse_event,0_2_00E14EF5
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\New Quotation - FE7191PO154.exe"Jump to behavior
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E081F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00E081F7
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E14C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00E14C03
          Source: New Quotation - FE7191PO154.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: New Quotation - FE7191PO154.exeBinary or memory string: Shell_TrayWnd
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DD886B cpuid 0_2_00DD886B
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DE50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00DE50D7
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DF2230 GetUserNameW,0_2_00DF2230
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DE418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00DE418A
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00DB4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00DB4AFE

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2581820388.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2582022123.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: New Quotation - FE7191PO154.exeBinary or memory string: WIN_81
          Source: New Quotation - FE7191PO154.exeBinary or memory string: WIN_XP
          Source: New Quotation - FE7191PO154.exeBinary or memory string: WIN_XPe
          Source: New Quotation - FE7191PO154.exeBinary or memory string: WIN_VISTA
          Source: New Quotation - FE7191PO154.exeBinary or memory string: WIN_7
          Source: New Quotation - FE7191PO154.exeBinary or memory string: WIN_8
          Source: New Quotation - FE7191PO154.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2581820388.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2582022123.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E26596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00E26596
          Source: C:\Users\user\Desktop\New Quotation - FE7191PO154.exeCode function: 0_2_00E26A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00E26A5A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		2
          Valid Accounts          		2
          Valid Accounts          		2
          Valid Accounts          		21
          Input Capture          		2
          System Time Discovery          		Remote Services21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		LSASS Memory15
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
          Access Token Manipulation          		2
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares3
          Clipboard Data          		SteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook212
          Process Injection          		21
          Access Token Manipulation          		NTDS3
          Process Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          DLL Side-Loading          		212
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          Account Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Obfuscated Files or Information          		DCSync1
          System Owner/User Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc Filesystem1
          File and Directory Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow115
          System Information Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          New Quotation - FE7191PO154.exe50%ReversingLabsWin32.Trojan.Strab
          New Quotation - FE7191PO154.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1467842
          Start date and time:2024-07-04 21:43:13 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 6m 53s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Run name:Run with higher sleep bypass
          Number of analysed new started processes analysed:8
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:New Quotation - FE7191PO154.exe
          Detection:MAL
          Classification:mal92.troj.evad.winEXE@3/4@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 98%
          • Number of executed functions: 59
          • Number of non-executed functions: 271
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • VT rate limit hit for: New Quotation - FE7191PO154.exe

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Temp\aut10C0.tmp

          Download File
          Process:C:\Users\user\Desktop\New Quotation - FE7191PO154.exe
          File Type:data
          Category:dropped
          Size (bytes):270848
          Entropy (8bit):7.992931146075326
          Encrypted:true
          SSDEEP:6144:6SsT7GYfpZCCkO1qrptykwpHXJ1pOLzXCEra+wYDs3j88oxyOP8k:tY7GYfp8gqrpoXROLOwaXeIk
          MD5:6417747445BC858FBF9BD204C824AD00
          SHA1:EC17DEDFECA8EF363D1285F5C2416FD5C3CBC7BB
          SHA-256:CEB41F7016A5B596FDE72F9CD032707A7E0D9D6A7E9BB890E493F340057660B5
          SHA-512:BF3DFE6F149783035F2F0269C99F0EA5F0C1233D7226CCFB896F0D03E5239AFEC4CCE3F6F4A69F5F6DADCB6E020C3756C9DF03ECBAC4BCCD8796B97EADCAA59B
          Malicious:false
          Reputation:low
          Preview:...b.3YGU...Y....3Z...LX...C0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0.3YG[E.AP.F.b.R..f.2_<p$=#$B2^y$44X $t-)cB&]y.;zr..t"#'U}>TMqZ6OPTOL:1Z.d'2../7.r,$.I..o:Q.J...P4.C..../7..% XnS>.UZ6OPTOL.uS3.FTZ6M.5OLC0S3YG.Z4N[UDLC W3YGUZ6OPT._C0S#YGUz2OPT.LC S3YEUZ0OPTOLC0U3YGUZ6OPtKLC2S3YGUZ4O..OLS0S#YGUZ&OPDOLC0S3IGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6O~ *470S3.IQZ6_PTO\G0S#YGUZ6OPTOLC0S3yGU:6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3

          C:\Users\user\AppData\Local\Temp\aut10E0.tmp

          Download File
          Process:C:\Users\user\Desktop\New Quotation - FE7191PO154.exe
          File Type:data
          Category:dropped
          Size (bytes):9826
          Entropy (8bit):7.595089588495937
          Encrypted:false
          SSDEEP:192:65jwEiqiSLLhK6mXmHAMo0XrFZbHuAAAGVp200bAsmIr+C3VfebKfAIEev+3pCj7:I6qin6OZ70XrFZbsp200csmIr+C3gbmb
          MD5:958A965896D1772DACD23BD36F1585DF
          SHA1:3A52A92A2514F9B8383E08694D9A136CB09C5CCB
          SHA-256:BE6F4489EEC42717CAC963F68D65DC9352E923C20EF4901B915B2BC7EA1AEDE8
          SHA-512:D30AA929195A8ADD7F0C24FD7A3466A3E357168DCA4FCADE75005DC0BF83616DD268D94787ECD684C6B2C9B666846BAB5463DCCD40507852BB6650D66C940173
          Malicious:false
          Reputation:low
          Preview:EA06..pT.Q&...8.M.z,.D.Lf....y9......o3.N&T...5...j..m1..f.Y..cD.L'.....3.N(s...m9...s.5..8.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,@. ...3+..d....s4.l&..........|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.|f #^...j......l.....l.5....>0..Xf....M.^....$zn.....G..I....C...M.|........}S{....7...| l..P..........0...`>;..c7.6..{......=..7..............6,......b...,S ...i5.M.4.b..i|v)....b.h.,@..%........9....c...|3Y..h......._......@.>K...,v[..q5.M,.@..i7.X......9....2.......,.`....3.,.i8........}.k(.f..@..M&V....7.,.x....&.......0.......Fh...Fb.....3.."a9...`....,vb.....cd.X..P.Fl.Y.$..c. ....I...d..f.!...,vd......8..P.......0.....2...y...D.......c.0.......b.<NA...NM..;4.X.q1..&@Q..B.Y.ah......Yl.i..."..Bvj.........ic..'3Y..'f.....,j.1........C.`....7b.., .p..T.......Y,Vi......@

          C:\Users\user\AppData\Local\Temp\derogates

          Download File
          Process:C:\Users\user\Desktop\New Quotation - FE7191PO154.exe
          File Type:ASCII text, with very long lines (28756), with no line terminators
          Category:dropped
          Size (bytes):28756
          Entropy (8bit):3.5919091749017946
          Encrypted:false
          SSDEEP:768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbCO+IFh6q84vfF3if6gZ:miTZ+2QoioGRk6ZklputwjpjBkCiw2RG
          MD5:CF204ECCC6E01B0BC79FAD4C51B0D33B
          SHA1:18A40B98F2356C7CC85074E825114116BBFA1100
          SHA-256:5342B804D95791B480BC59490287E480C67181F208D24CB2FDAC982B92D619E3
          SHA-512:2D5832E1EF9D67C16B49B71BE2F42BBA1E17784904B0DFD26A92AEEE6A97CFAC738005E4CA147BEFF718DECC30B035E4D8C30C0FC80479A93A7AB211B68C26DF
          Malicious:false
          Reputation:low
          Preview:8D6804F867D7E3ED21599F86932DA5673082A29A59B06B261C54E6F1DF089BBB368C973697738FDC880x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

          C:\Users\user\AppData\Local\Temp\nonagglutinant

          Download File
          Process:C:\Users\user\Desktop\New Quotation - FE7191PO154.exe
          File Type:data
          Category:dropped
          Size (bytes):270848
          Entropy (8bit):7.992931146075326
          Encrypted:true
          SSDEEP:6144:6SsT7GYfpZCCkO1qrptykwpHXJ1pOLzXCEra+wYDs3j88oxyOP8k:tY7GYfp8gqrpoXROLOwaXeIk
          MD5:6417747445BC858FBF9BD204C824AD00
          SHA1:EC17DEDFECA8EF363D1285F5C2416FD5C3CBC7BB
          SHA-256:CEB41F7016A5B596FDE72F9CD032707A7E0D9D6A7E9BB890E493F340057660B5
          SHA-512:BF3DFE6F149783035F2F0269C99F0EA5F0C1233D7226CCFB896F0D03E5239AFEC4CCE3F6F4A69F5F6DADCB6E020C3756C9DF03ECBAC4BCCD8796B97EADCAA59B
          Malicious:false
          Reputation:low
          Preview:...b.3YGU...Y....3Z...LX...C0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0.3YG[E.AP.F.b.R..f.2_<p$=#$B2^y$44X $t-)cB&]y.;zr..t"#'U}>TMqZ6OPTOL:1Z.d'2../7.r,$.I..o:Q.J...P4.C..../7..% XnS>.UZ6OPTOL.uS3.FTZ6M.5OLC0S3YG.Z4N[UDLC W3YGUZ6OPT._C0S#YGUz2OPT.LC S3YEUZ0OPTOLC0U3YGUZ6OPtKLC2S3YGUZ4O..OLS0S#YGUZ&OPDOLC0S3IGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6O~ *470S3.IQZ6_PTO\G0S#YGUZ6OPTOLC0S3yGU:6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3YGUZ6OPTOLC0S3

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.123899764764069
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:New Quotation - FE7191PO154.exe
          File size:1'173'504 bytes
          MD5:494d46b06be2512d5224dcbb309cc9c8
          SHA1:8b2ff6a1c15a9b0e0f1700d449040d6177ed0456
          SHA256:a9d81d4d219333b4aae2743cb1b2ddb1f13c6182c773bae002ad26db214a054a
          SHA512:80a2c2466845f59d311efe7cea463f219062d08f542e2de1f796e181bbd9826b4fd46cb5ff769e6cf9b6cd7ec7a0e8a5413b6d12e19a21dc268b81da38aaa67d
          SSDEEP:24576:FAHnh+eWsN3skA4RV1Hom2KXMmHa7tlktThsYldX5:0h+ZkldoPK8Ya7/kx/l7
          TLSH:8045BE0273D2C036FFAB92739B6AF20556BC79254123852F13981DB9BD701B2277E663
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

          File Icon

          Icon Hash:aaf3e3e3938382a0

          Static PE Info

          General

          Entrypoint:0x42800a
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
          Time Stamp:0x6685F3F0 [Thu Jul 4 00:59:28 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:afcdf79be1557326c854b6e20cb900a7

          Entrypoint Preview

          Instruction
          call 00007F122CC5E5CDh
          jmp 00007F122CC51384h
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          push edi
          push esi
          mov esi, dword ptr [esp+10h]
          mov ecx, dword ptr [esp+14h]
          mov edi, dword ptr [esp+0Ch]
          mov eax, ecx
          mov edx, ecx
          add eax, esi
          cmp edi, esi
          jbe 00007F122CC5150Ah
          cmp edi, eax
          jc 00007F122CC5186Eh
          bt dword ptr [004C41FCh], 01h
          jnc 00007F122CC51509h
          rep movsb
          jmp 00007F122CC5181Ch
          cmp ecx, 00000080h
          jc 00007F122CC516D4h
          mov eax, edi
          xor eax, esi
          test eax, 0000000Fh
          jne 00007F122CC51510h
          bt dword ptr [004BF324h], 01h
          jc 00007F122CC519E0h
          bt dword ptr [004C41FCh], 00000000h
          jnc 00007F122CC516ADh
          test edi, 00000003h
          jne 00007F122CC516BEh
          test esi, 00000003h
          jne 00007F122CC5169Dh
          bt edi, 02h
          jnc 00007F122CC5150Fh
          mov eax, dword ptr [esi]
          sub ecx, 04h
          lea esi, dword ptr [esi+04h]
          mov dword ptr [edi], eax
          lea edi, dword ptr [edi+04h]
          bt edi, 03h
          jnc 00007F122CC51513h
          movq xmm1, qword ptr [esi]
          sub ecx, 08h
          lea esi, dword ptr [esi+08h]
          movq qword ptr [edi], xmm1
          lea edi, dword ptr [edi+08h]
          test esi, 00000007h
          je 00007F122CC51565h
          bt esi, 03h

          Rich Headers

          Programming Language:
          • [ASM] VS2013 build 21005
          • [ C ] VS2013 build 21005
          • [C++] VS2013 build 21005
          • [ C ] VS2008 SP1 build 30729
          • [IMP] VS2008 SP1 build 30729
          • [ASM] VS2013 UPD5 build 40629
          • [RES] VS2013 build 21005
          • [LNK] VS2013 UPD5 build 40629

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x541a0.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x11d0000x7134.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xc80000x541a00x542003d97934f0eb54532f0676f34a19ceff7False0.9221942329123328data7.881061150222204IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x11d0000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
          RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
          RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
          RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
          RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
          RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
          RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
          RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
          RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
          RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
          RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
          RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
          RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
          RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
          RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
          RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
          RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
          RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
          RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
          RT_RCDATA0xd07b80x4b468data1.0003275732336991
          RT_GROUP_ICON0x11bc200x76dataEnglishGreat Britain0.6610169491525424
          RT_GROUP_ICON0x11bc980x14dataEnglishGreat Britain1.25
          RT_GROUP_ICON0x11bcac0x14dataEnglishGreat Britain1.15
          RT_GROUP_ICON0x11bcc00x14dataEnglishGreat Britain1.25
          RT_VERSION0x11bcd40xdcdataEnglishGreat Britain0.6181818181818182
          RT_MANIFEST0x11bdb00x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

          Imports

          DLLImport
          WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
          VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
          WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
          PSAPI.DLLGetProcessMemoryInfo
          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
          USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
          UxTheme.dllIsThemeActive
          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
          USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
          GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
          COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
          OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishGreat Britain

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:15:44:00
          Start date:04/07/2024
          Path:C:\Users\user\Desktop\New Quotation - FE7191PO154.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\New Quotation - FE7191PO154.exe"
          Imagebase:0xdb0000
          File size:1'173'504 bytes
          MD5 hash:494D46B06BE2512D5224DCBB309CC9C8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:2
          Start time:15:44:01
          Start date:04/07/2024
          Path:C:\Windows\SysWOW64\svchost.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\New Quotation - FE7191PO154.exe"
          Imagebase:0xa30000
          File size:46'504 bytes
          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2581820388.0000000000470000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2581820388.0000000000470000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2582022123.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2582022123.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          Reputation:moderate
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:4%
            Dynamic/Decrypted Code Coverage:0.4%
            Signature Coverage:3%
            Total number of Nodes:2000
            Total number of Limit Nodes:162
            execution_graph 98246 db107d 98251 db71eb 98246->98251 98248 db108c 98282 dd2f80 98248->98282 98252 db71fb __write_nolock 98251->98252 98285 db77c7 98252->98285 98256 db72ba 98297 dd074f 98256->98297 98263 db77c7 59 API calls 98264 db72eb 98263->98264 98316 db7eec 98264->98316 98266 db72f4 RegOpenKeyExW 98267 deecda RegQueryValueExW 98266->98267 98274 db7316 Mailbox 98266->98274 98268 deed6c RegCloseKey 98267->98268 98269 deecf7 98267->98269 98268->98274 98281 deed7e _wcscat Mailbox __wsetenvp 98268->98281 98320 dd0ff6 98269->98320 98271 deed10 98330 db538e 98271->98330 98272 db7b52 59 API calls 98272->98281 98274->98248 98276 deed38 98333 db7d2c 98276->98333 98278 deed52 98278->98268 98280 db3f84 59 API calls 98280->98281 98281->98272 98281->98274 98281->98280 98342 db7f41 98281->98342 98407 dd2e84 98282->98407 98284 db1096 98286 dd0ff6 Mailbox 59 API calls 98285->98286 98287 db77e8 98286->98287 98288 dd0ff6 Mailbox 59 API calls 98287->98288 98289 db72b1 98288->98289 98290 db4864 98289->98290 98346 de1b90 98290->98346 98293 db7f41 59 API calls 98294 db4897 98293->98294 98348 db48ae 98294->98348 98296 db48a1 Mailbox 98296->98256 98298 de1b90 __write_nolock 98297->98298 98299 dd075c GetFullPathNameW 98298->98299 98300 dd077e 98299->98300 98301 db7d2c 59 API calls 98300->98301 98302 db72c5 98301->98302 98303 db7e0b 98302->98303 98304 db7e1f 98303->98304 98305 def173 98303->98305 98370 db7db0 98304->98370 98375 db8189 98305->98375 98308 def17e __wsetenvp _memmove 98309 db72d3 98310 db3f84 98309->98310 98311 db3f92 98310->98311 98315 db3fb4 _memmove 98310->98315 98313 dd0ff6 Mailbox 59 API calls 98311->98313 98312 dd0ff6 Mailbox 59 API calls 98314 db3fc8 98312->98314 98313->98315 98314->98263 98315->98312 98317 db7ef9 98316->98317 98318 db7f06 98316->98318 98317->98266 98319 dd0ff6 Mailbox 59 API calls 98318->98319 98319->98317 98322 dd0ffe 98320->98322 98323 dd1018 98322->98323 98325 dd101c std::exception::exception 98322->98325 98378 dd594c 98322->98378 98395 dd35e1 DecodePointer 98322->98395 98323->98271 98396 dd87db RaiseException 98325->98396 98327 dd1046 98397 dd8711 58 API calls _free 98327->98397 98329 dd1058 98329->98271 98331 dd0ff6 Mailbox 59 API calls 98330->98331 98332 db53a0 RegQueryValueExW 98331->98332 98332->98276 98332->98278 98334 db7d38 __wsetenvp 98333->98334 98335 db7da5 98333->98335 98338 db7d4e 98334->98338 98339 db7d73 98334->98339 98336 db7e8c 59 API calls 98335->98336 98337 db7d56 _memmove 98336->98337 98337->98278 98406 db8087 59 API calls Mailbox 98338->98406 98341 db8189 59 API calls 98339->98341 98341->98337 98343 db7f50 __wsetenvp _memmove 98342->98343 98344 dd0ff6 Mailbox 59 API calls 98343->98344 98345 db7f8e 98344->98345 98345->98281 98347 db4871 GetModuleFileNameW 98346->98347 98347->98293 98349 de1b90 __write_nolock 98348->98349 98350 db48bb GetFullPathNameW 98349->98350 98351 db48da 98350->98351 98352 db48f7 98350->98352 98353 db7d2c 59 API calls 98351->98353 98354 db7eec 59 API calls 98352->98354 98355 db48e6 98353->98355 98354->98355 98358 db7886 98355->98358 98359 db7894 98358->98359 98362 db7e8c 98359->98362 98361 db48f2 98361->98296 98363 db7e9a 98362->98363 98365 db7ea3 _memmove 98362->98365 98363->98365 98366 db7faf 98363->98366 98365->98361 98367 db7fc2 98366->98367 98369 db7fbf _memmove 98366->98369 98368 dd0ff6 Mailbox 59 API calls 98367->98368 98368->98369 98369->98365 98371 db7dbf __wsetenvp 98370->98371 98372 db8189 59 API calls 98371->98372 98373 db7dd0 _memmove 98371->98373 98374 def130 _memmove 98372->98374 98373->98309 98376 dd0ff6 Mailbox 59 API calls 98375->98376 98377 db8193 98376->98377 98377->98308 98379 dd59c7 98378->98379 98387 dd5958 98378->98387 98404 dd35e1 DecodePointer 98379->98404 98381 dd59cd 98405 dd8d68 58 API calls __getptd_noexit 98381->98405 98384 dd598b RtlAllocateHeap 98385 dd59bf 98384->98385 98384->98387 98385->98322 98387->98384 98388 dd59b3 98387->98388 98389 dd5963 98387->98389 98393 dd59b1 98387->98393 98401 dd35e1 DecodePointer 98387->98401 98402 dd8d68 58 API calls __getptd_noexit 98388->98402 98389->98387 98398 dda3ab 58 API calls __NMSG_WRITE 98389->98398 98399 dda408 58 API calls 6 library calls 98389->98399 98400 dd32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98389->98400 98403 dd8d68 58 API calls __getptd_noexit 98393->98403 98395->98322 98396->98327 98397->98329 98398->98389 98399->98389 98401->98387 98402->98393 98403->98385 98404->98381 98405->98385 98406->98337 98408 dd2e90 __read 98407->98408 98415 dd3457 98408->98415 98414 dd2eb7 __read 98414->98284 98432 dd9e4b 98415->98432 98417 dd2e99 98418 dd2ec8 DecodePointer DecodePointer 98417->98418 98419 dd2ef5 98418->98419 98420 dd2ea5 98418->98420 98419->98420 98484 dd89e4 59 API calls __wcsicmp_l 98419->98484 98429 dd2ec2 98420->98429 98422 dd2f58 EncodePointer EncodePointer 98422->98420 98423 dd2f07 98423->98422 98424 dd2f2c 98423->98424 98485 dd8aa4 61 API calls 2 library calls 98423->98485 98424->98420 98427 dd2f46 EncodePointer 98424->98427 98486 dd8aa4 61 API calls 2 library calls 98424->98486 98427->98422 98428 dd2f40 98428->98420 98428->98427 98487 dd3460 98429->98487 98433 dd9e5c 98432->98433 98434 dd9e6f EnterCriticalSection 98432->98434 98439 dd9ed3 98433->98439 98434->98417 98436 dd9e62 98436->98434 98463 dd32f5 58 API calls 3 library calls 98436->98463 98440 dd9edf __read 98439->98440 98441 dd9ee8 98440->98441 98442 dd9f00 98440->98442 98464 dda3ab 58 API calls __NMSG_WRITE 98441->98464 98451 dd9f21 __read 98442->98451 98467 dd8a5d 98442->98467 98444 dd9eed 98465 dda408 58 API calls 6 library calls 98444->98465 98448 dd9ef4 98466 dd32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98448->98466 98449 dd9f1c 98473 dd8d68 58 API calls __getptd_noexit 98449->98473 98450 dd9f2b 98454 dd9e4b __lock 58 API calls 98450->98454 98451->98436 98456 dd9f32 98454->98456 98457 dd9f3f 98456->98457 98458 dd9f57 98456->98458 98474 dda06b InitializeCriticalSectionAndSpinCount 98457->98474 98475 dd2f95 98458->98475 98461 dd9f4b 98481 dd9f73 LeaveCriticalSection _doexit 98461->98481 98464->98444 98465->98448 98468 dd8a6b 98467->98468 98469 dd594c std::exception::_Copy_str 58 API calls 98468->98469 98470 dd8a9d 98468->98470 98472 dd8a7e 98468->98472 98469->98468 98470->98449 98470->98450 98472->98468 98472->98470 98482 dda372 Sleep 98472->98482 98473->98451 98474->98461 98476 dd2f9e RtlFreeHeap 98475->98476 98477 dd2fc7 _free 98475->98477 98476->98477 98478 dd2fb3 98476->98478 98477->98461 98483 dd8d68 58 API calls __getptd_noexit 98478->98483 98480 dd2fb9 GetLastError 98480->98477 98481->98451 98482->98472 98483->98480 98484->98423 98485->98424 98486->98428 98490 dd9fb5 LeaveCriticalSection 98487->98490 98489 dd2ec7 98489->98414 98490->98489 98491 db3633 98492 db366a 98491->98492 98493 db3688 98492->98493 98494 db36e7 98492->98494 98530 db36e5 98492->98530 98495 db375d PostQuitMessage 98493->98495 98496 db3695 98493->98496 98498 ded31c 98494->98498 98499 db36ed 98494->98499 98532 db36d8 98495->98532 98500 ded38f 98496->98500 98501 db36a0 98496->98501 98497 db36ca DefWindowProcW 98497->98532 98541 dc11d0 10 API calls Mailbox 98498->98541 98503 db36f2 98499->98503 98504 db3715 SetTimer RegisterWindowMessageW 98499->98504 98556 e12a16 71 API calls _memset 98500->98556 98505 db36a8 98501->98505 98506 db3767 98501->98506 98510 ded2bf 98503->98510 98511 db36f9 KillTimer 98503->98511 98507 db373e CreatePopupMenu 98504->98507 98504->98532 98512 db36b3 98505->98512 98513 ded374 98505->98513 98539 db4531 64 API calls _memset 98506->98539 98507->98532 98509 ded343 98542 dc11f3 341 API calls Mailbox 98509->98542 98517 ded2f8 MoveWindow 98510->98517 98518 ded2c4 98510->98518 98536 db44cb Shell_NotifyIconW _memset 98511->98536 98521 db374b 98512->98521 98527 db36be 98512->98527 98513->98497 98555 e0817e 59 API calls Mailbox 98513->98555 98514 ded3a1 98514->98497 98514->98532 98517->98532 98522 ded2c8 98518->98522 98523 ded2e7 SetFocus 98518->98523 98520 db370c 98537 db3114 DeleteObject DestroyWindow Mailbox 98520->98537 98538 db45df 81 API calls _memset 98521->98538 98522->98527 98528 ded2d1 98522->98528 98523->98532 98527->98497 98543 db44cb Shell_NotifyIconW _memset 98527->98543 98540 dc11d0 10 API calls Mailbox 98528->98540 98530->98497 98531 db375b 98531->98532 98534 ded368 98544 db43db 98534->98544 98536->98520 98537->98532 98538->98531 98539->98531 98540->98532 98541->98509 98542->98527 98543->98534 98545 db4406 _memset 98544->98545 98557 db4213 98545->98557 98548 db448b 98550 db44c1 Shell_NotifyIconW 98548->98550 98551 db44a5 Shell_NotifyIconW 98548->98551 98552 db44b3 98550->98552 98551->98552 98561 db410d 98552->98561 98554 db44ba 98554->98530 98555->98530 98556->98514 98558 ded638 98557->98558 98559 db4227 98557->98559 98558->98559 98560 ded641 DestroyIcon 98558->98560 98559->98548 98583 e13226 62 API calls _W_store_winword 98559->98583 98560->98559 98562 db4129 98561->98562 98582 db4200 Mailbox 98561->98582 98584 db7b76 98562->98584 98565 ded5dd LoadStringW 98569 ded5f7 98565->98569 98566 db4144 98567 db7d2c 59 API calls 98566->98567 98568 db4159 98567->98568 98568->98569 98570 db416a 98568->98570 98571 db7c8e 59 API calls 98569->98571 98572 db4205 98570->98572 98573 db4174 98570->98573 98576 ded601 98571->98576 98598 db81a7 98572->98598 98589 db7c8e 98573->98589 98577 db7e0b 59 API calls 98576->98577 98579 db417e _memset _wcscpy 98576->98579 98578 ded623 98577->98578 98581 db7e0b 59 API calls 98578->98581 98580 db41e6 Shell_NotifyIconW 98579->98580 98580->98582 98581->98579 98582->98554 98583->98548 98585 dd0ff6 Mailbox 59 API calls 98584->98585 98586 db7b9b 98585->98586 98587 db8189 59 API calls 98586->98587 98588 db4137 98587->98588 98588->98565 98588->98566 98590 def094 98589->98590 98591 db7ca0 98589->98591 98608 e08123 59 API calls _memmove 98590->98608 98602 db7bb1 98591->98602 98594 def09e 98596 db81a7 59 API calls 98594->98596 98595 db7cac 98595->98579 98597 def0a6 Mailbox 98596->98597 98599 db81ba 98598->98599 98600 db81b2 98598->98600 98599->98579 98609 db80d7 59 API calls 2 library calls 98600->98609 98603 db7bbf 98602->98603 98604 db7be5 _memmove 98602->98604 98603->98604 98605 dd0ff6 Mailbox 59 API calls 98603->98605 98604->98595 98606 db7c34 98605->98606 98607 dd0ff6 Mailbox 59 API calls 98606->98607 98607->98604 98608->98594 98609->98599 98610 db1016 98615 db4ad2 98610->98615 98613 dd2f80 __cinit 67 API calls 98614 db1025 98613->98614 98616 dd0ff6 Mailbox 59 API calls 98615->98616 98617 db4ada 98616->98617 98618 db101b 98617->98618 98622 db4a94 98617->98622 98618->98613 98623 db4a9d 98622->98623 98625 db4aaf 98622->98625 98624 dd2f80 __cinit 67 API calls 98623->98624 98624->98625 98626 db4afe 98625->98626 98627 db77c7 59 API calls 98626->98627 98628 db4b16 GetVersionExW 98627->98628 98629 db7d2c 59 API calls 98628->98629 98630 db4b59 98629->98630 98631 db7e8c 59 API calls 98630->98631 98634 db4b86 98630->98634 98632 db4b7a 98631->98632 98633 db7886 59 API calls 98632->98633 98633->98634 98635 db4bf1 GetCurrentProcess IsWow64Process 98634->98635 98636 dedc8d 98634->98636 98637 db4c0a 98635->98637 98638 db4c89 GetSystemInfo 98637->98638 98639 db4c20 98637->98639 98640 db4c56 98638->98640 98650 db4c95 98639->98650 98640->98618 98643 db4c7d GetSystemInfo 98645 db4c47 98643->98645 98644 db4c32 98646 db4c95 2 API calls 98644->98646 98645->98640 98648 db4c4d FreeLibrary 98645->98648 98647 db4c3a GetNativeSystemInfo 98646->98647 98647->98645 98648->98640 98651 db4c2e 98650->98651 98652 db4c9e LoadLibraryA 98650->98652 98651->98643 98651->98644 98652->98651 98653 db4caf GetProcAddress 98652->98653 98653->98651 98654 dd7e93 98655 dd7e9f __read 98654->98655 98691 dda048 GetStartupInfoW 98655->98691 98658 dd7ea4 98693 dd8dbc GetProcessHeap 98658->98693 98659 dd7efc 98660 dd7f07 98659->98660 98776 dd7fe3 58 API calls 3 library calls 98659->98776 98694 dd9d26 98660->98694 98663 dd7f0d 98664 dd7f18 __RTC_Initialize 98663->98664 98777 dd7fe3 58 API calls 3 library calls 98663->98777 98715 ddd812 98664->98715 98667 dd7f27 98668 dd7f33 GetCommandLineW 98667->98668 98778 dd7fe3 58 API calls 3 library calls 98667->98778 98734 de5173 GetEnvironmentStringsW 98668->98734 98671 dd7f32 98671->98668 98674 dd7f4d 98675 dd7f58 98674->98675 98779 dd32f5 58 API calls 3 library calls 98674->98779 98744 de4fa8 98675->98744 98678 dd7f5e 98679 dd7f69 98678->98679 98780 dd32f5 58 API calls 3 library calls 98678->98780 98758 dd332f 98679->98758 98682 dd7f7c __wwincmdln 98764 db492e 98682->98764 98683 dd7f71 98683->98682 98781 dd32f5 58 API calls 3 library calls 98683->98781 98686 dd7f90 98687 dd7f9f 98686->98687 98782 dd3598 58 API calls _doexit 98686->98782 98783 dd3320 58 API calls _doexit 98687->98783 98690 dd7fa4 __read 98692 dda05e 98691->98692 98692->98658 98693->98659 98784 dd33c7 36 API calls 2 library calls 98694->98784 98696 dd9d2b 98785 dd9f7c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 98696->98785 98698 dd9d30 98699 dd9d34 98698->98699 98787 dd9fca TlsAlloc 98698->98787 98786 dd9d9c 61 API calls 2 library calls 98699->98786 98702 dd9d39 98702->98663 98703 dd9d46 98703->98699 98704 dd9d51 98703->98704 98788 dd8a15 98704->98788 98707 dd9d93 98796 dd9d9c 61 API calls 2 library calls 98707->98796 98710 dd9d72 98710->98707 98712 dd9d78 98710->98712 98711 dd9d98 98711->98663 98795 dd9c73 58 API calls 4 library calls 98712->98795 98714 dd9d80 GetCurrentThreadId 98714->98663 98716 ddd81e __read 98715->98716 98717 dd9e4b __lock 58 API calls 98716->98717 98718 ddd825 98717->98718 98719 dd8a15 __calloc_crt 58 API calls 98718->98719 98721 ddd836 98719->98721 98720 ddd8a1 GetStartupInfoW 98722 ddd9e5 98720->98722 98723 ddd8b6 98720->98723 98721->98720 98724 ddd841 @_EH4_CallFilterFunc@8 __read 98721->98724 98725 dddaad 98722->98725 98728 ddda32 GetStdHandle 98722->98728 98729 ddda45 GetFileType 98722->98729 98809 dda06b InitializeCriticalSectionAndSpinCount 98722->98809 98723->98722 98727 dd8a15 __calloc_crt 58 API calls 98723->98727 98731 ddd904 98723->98731 98724->98667 98810 dddabd LeaveCriticalSection _doexit 98725->98810 98727->98723 98728->98722 98729->98722 98730 ddd938 GetFileType 98730->98731 98731->98722 98731->98730 98808 dda06b InitializeCriticalSectionAndSpinCount 98731->98808 98735 dd7f43 98734->98735 98736 de5184 98734->98736 98740 de4d6b GetModuleFileNameW 98735->98740 98737 dd8a5d __malloc_crt 58 API calls 98736->98737 98738 de51aa _memmove 98737->98738 98739 de51c0 FreeEnvironmentStringsW 98738->98739 98739->98735 98741 de4d9f _wparse_cmdline 98740->98741 98742 dd8a5d __malloc_crt 58 API calls 98741->98742 98743 de4ddf _wparse_cmdline 98741->98743 98742->98743 98743->98674 98745 de4fc1 __wsetenvp 98744->98745 98749 de4fb9 98744->98749 98746 dd8a15 __calloc_crt 58 API calls 98745->98746 98751 de4fea __wsetenvp 98746->98751 98747 de5041 98748 dd2f95 _free 58 API calls 98747->98748 98748->98749 98749->98678 98750 dd8a15 __calloc_crt 58 API calls 98750->98751 98751->98747 98751->98749 98751->98750 98752 de5066 98751->98752 98755 de507d 98751->98755 98811 de4857 58 API calls __wcsicmp_l 98751->98811 98753 dd2f95 _free 58 API calls 98752->98753 98753->98749 98812 dd9006 IsProcessorFeaturePresent 98755->98812 98757 de5089 98757->98678 98760 dd333b __IsNonwritableInCurrentImage 98758->98760 98835 dda711 98760->98835 98761 dd3359 __initterm_e 98762 dd2f80 __cinit 67 API calls 98761->98762 98763 dd3378 __cinit __IsNonwritableInCurrentImage 98761->98763 98762->98763 98763->98683 98765 db49e7 98764->98765 98766 db4948 98764->98766 98765->98686 98767 db4982 IsThemeActive 98766->98767 98838 dd35ac 98767->98838 98771 db49ae 98850 db4a5b SystemParametersInfoW SystemParametersInfoW 98771->98850 98773 db49ba 98851 db3b4c 98773->98851 98775 db49c2 SystemParametersInfoW 98775->98765 98776->98660 98777->98664 98778->98671 98782->98687 98783->98690 98784->98696 98785->98698 98786->98702 98787->98703 98791 dd8a1c 98788->98791 98790 dd8a57 98790->98707 98794 dda026 TlsSetValue 98790->98794 98791->98790 98792 dd8a3a 98791->98792 98797 de5446 98791->98797 98792->98790 98792->98791 98805 dda372 Sleep 98792->98805 98794->98710 98795->98714 98796->98711 98798 de5451 98797->98798 98803 de546c 98797->98803 98799 de545d 98798->98799 98798->98803 98806 dd8d68 58 API calls __getptd_noexit 98799->98806 98801 de547c RtlAllocateHeap 98802 de5462 98801->98802 98801->98803 98802->98791 98803->98801 98803->98802 98807 dd35e1 DecodePointer 98803->98807 98805->98792 98806->98802 98807->98803 98808->98731 98809->98722 98810->98724 98811->98751 98813 dd9011 98812->98813 98818 dd8e99 98813->98818 98817 dd902c 98817->98757 98819 dd8eb3 _memset ___raise_securityfailure 98818->98819 98820 dd8ed3 IsDebuggerPresent 98819->98820 98826 dda395 SetUnhandledExceptionFilter UnhandledExceptionFilter 98820->98826 98823 dd8fba 98825 dda380 GetCurrentProcess TerminateProcess 98823->98825 98824 dd8f97 ___raise_securityfailure 98827 ddc836 98824->98827 98825->98817 98826->98824 98828 ddc83e 98827->98828 98829 ddc840 IsProcessorFeaturePresent 98827->98829 98828->98823 98831 de5b5a 98829->98831 98834 de5b09 5 API calls ___raise_securityfailure 98831->98834 98833 de5c3d 98833->98823 98834->98833 98836 dda714 EncodePointer 98835->98836 98836->98836 98837 dda72e 98836->98837 98837->98761 98839 dd9e4b __lock 58 API calls 98838->98839 98840 dd35b7 DecodePointer EncodePointer 98839->98840 98903 dd9fb5 LeaveCriticalSection 98840->98903 98842 db49a7 98843 dd3614 98842->98843 98844 dd361e 98843->98844 98845 dd3638 98843->98845 98844->98845 98904 dd8d68 58 API calls __getptd_noexit 98844->98904 98845->98771 98847 dd3628 98905 dd8ff6 9 API calls __wcsicmp_l 98847->98905 98849 dd3633 98849->98771 98850->98773 98852 db3b59 __write_nolock 98851->98852 98853 db77c7 59 API calls 98852->98853 98854 db3b63 GetCurrentDirectoryW 98853->98854 98906 db3778 98854->98906 98856 db3b8c IsDebuggerPresent 98857 db3b9a 98856->98857 98858 ded4ad MessageBoxA 98856->98858 98859 ded4c7 98857->98859 98860 db3bb7 98857->98860 98893 db3c73 98857->98893 98858->98859 99105 db7373 59 API calls Mailbox 98859->99105 98987 db73e5 98860->98987 98861 db3c7a SetCurrentDirectoryW 98864 db3c87 Mailbox 98861->98864 98864->98775 98865 ded4d7 98870 ded4ed SetCurrentDirectoryW 98865->98870 98867 db3bd5 GetFullPathNameW 98868 db7d2c 59 API calls 98867->98868 98869 db3c10 98868->98869 99003 dc0a8d 98869->99003 98870->98864 98873 db3c2e 98874 db3c38 98873->98874 99106 e14c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 98873->99106 99019 db3a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 98874->99019 98877 ded50a 98877->98874 98881 ded51b 98877->98881 98883 db4864 61 API calls 98881->98883 98886 ded523 98883->98886 98887 db7f41 59 API calls 98886->98887 98893->98861 98903->98842 98904->98847 98905->98849 98907 db77c7 59 API calls 98906->98907 98908 db378e 98907->98908 99107 db3d43 98908->99107 98910 db37ac 98911 db4864 61 API calls 98910->98911 98912 db37c0 98911->98912 98913 db7f41 59 API calls 98912->98913 98914 db37cd 98913->98914 99121 db4f3d 98914->99121 98917 ded3ae 99188 e197e5 98917->99188 98918 db37ee Mailbox 98921 db81a7 59 API calls 98918->98921 98925 db3801 98921->98925 98922 ded3cd 98924 dd2f95 _free 58 API calls 98922->98924 98926 ded3da 98924->98926 99145 db93ea 98925->99145 98928 db4faa 84 API calls 98926->98928 98930 ded3e3 98928->98930 98934 db3ee2 59 API calls 98930->98934 98931 db7f41 59 API calls 98932 db381a 98931->98932 99148 db8620 98932->99148 98936 ded3fe 98934->98936 98935 db382c Mailbox 98937 db7f41 59 API calls 98935->98937 98938 db3ee2 59 API calls 98936->98938 98939 db3852 98937->98939 98941 ded41a 98938->98941 98940 db8620 69 API calls 98939->98940 98944 db3861 Mailbox 98940->98944 98942 db4864 61 API calls 98941->98942 98943 ded43f 98942->98943 98945 db3ee2 59 API calls 98943->98945 98947 db77c7 59 API calls 98944->98947 98946 ded44b 98945->98946 98948 db81a7 59 API calls 98946->98948 98949 db387f 98947->98949 98950 ded459 98948->98950 99152 db3ee2 98949->99152 98952 db3ee2 59 API calls 98950->98952 98954 ded468 98952->98954 98960 db81a7 59 API calls 98954->98960 98956 db3899 98956->98930 98957 db38a3 98956->98957 98958 dd313d _W_store_winword 60 API calls 98957->98958 98959 db38ae 98958->98959 98959->98936 98961 db38b8 98959->98961 98963 ded48a 98960->98963 98962 dd313d _W_store_winword 60 API calls 98961->98962 98965 db38c3 98962->98965 98964 db3ee2 59 API calls 98963->98964 98966 ded497 98964->98966 98965->98941 98967 db38cd 98965->98967 98966->98966 98968 dd313d _W_store_winword 60 API calls 98967->98968 98969 db38d8 98968->98969 98969->98954 98970 db3919 98969->98970 98972 db3ee2 59 API calls 98969->98972 98970->98954 98971 db3926 98970->98971 99168 db942e 98971->99168 98973 db38fc 98972->98973 98976 db81a7 59 API calls 98973->98976 98978 db390a 98976->98978 98980 db3ee2 59 API calls 98978->98980 98980->98970 98982 db3961 98983 db93ea 59 API calls 98982->98983 98984 db9040 60 API calls 98982->98984 98985 db3ee2 59 API calls 98982->98985 98986 db39a7 Mailbox 98982->98986 98983->98982 98984->98982 98985->98982 98986->98856 98988 db73f2 __write_nolock 98987->98988 98989 db740b 98988->98989 98990 deee4b _memset 98988->98990 98991 db48ae 60 API calls 98989->98991 98992 deee67 GetOpenFileNameW 98990->98992 98993 db7414 98991->98993 98995 deeeb6 98992->98995 99989 dd09d5 98993->99989 98997 db7d2c 59 API calls 98995->98997 98999 deeecb 98997->98999 98999->98999 99000 db7429 100007 db69ca 99000->100007 99004 dc0a9a __write_nolock 99003->99004 100308 db6ee0 99004->100308 99006 dc0a9f 99007 db3c26 99006->99007 100319 dc12fe 89 API calls 99006->100319 99007->98865 99007->98873 99009 dc0aac 99009->99007 100320 dc4047 91 API calls Mailbox 99009->100320 99011 dc0ab5 99011->99007 99012 dc0ab9 GetFullPathNameW 99011->99012 99013 db7d2c 59 API calls 99012->99013 99014 dc0ae5 99013->99014 99015 db7d2c 59 API calls 99014->99015 99020 ded49c 99019->99020 99021 db3ac2 LoadImageW RegisterClassExW 99019->99021 100358 db48fe LoadImageW EnumResourceNamesW 99020->100358 100357 db3041 7 API calls 99021->100357 99024 db3b46 99025 ded4a5 99105->98865 99106->98877 99108 db3d50 __write_nolock 99107->99108 99109 db7d2c 59 API calls 99108->99109 99112 db3eb6 Mailbox 99108->99112 99111 db3d82 99109->99111 99120 db3db8 Mailbox 99111->99120 99229 db7b52 99111->99229 99112->98910 99113 db7b52 59 API calls 99113->99120 99114 db7f41 59 API calls 99117 db3eaa 99114->99117 99115 db3e89 99115->99112 99115->99114 99116 db7f41 59 API calls 99116->99120 99118 db3f84 59 API calls 99117->99118 99118->99112 99119 db3f84 59 API calls 99119->99120 99120->99112 99120->99113 99120->99115 99120->99116 99120->99119 99232 db4d13 99121->99232 99126 dedd0f 99128 db4faa 84 API calls 99126->99128 99127 db4f68 LoadLibraryExW 99242 db4cc8 99127->99242 99130 dedd16 99128->99130 99132 db4cc8 3 API calls 99130->99132 99136 dedd1e 99132->99136 99134 db4f8f 99135 db4f9b 99134->99135 99134->99136 99137 db4faa 84 API calls 99135->99137 99268 db506b 99136->99268 99139 db37e6 99137->99139 99139->98917 99139->98918 99142 dedd45 99276 db5027 99142->99276 99144 dedd52 99146 dd0ff6 Mailbox 59 API calls 99145->99146 99147 db380d 99146->99147 99147->98931 99149 db862b 99148->99149 99151 db8652 99149->99151 99703 db8b13 69 API calls Mailbox 99149->99703 99151->98935 99153 db3eec 99152->99153 99154 db3f05 99152->99154 99155 db81a7 59 API calls 99153->99155 99156 db7d2c 59 API calls 99154->99156 99157 db388b 99155->99157 99156->99157 99158 dd313d 99157->99158 99159 dd31be 99158->99159 99160 dd3149 99158->99160 99706 dd31d0 60 API calls 3 library calls 99159->99706 99167 dd316e 99160->99167 99704 dd8d68 58 API calls __getptd_noexit 99160->99704 99163 dd31cb 99163->98956 99164 dd3155 99705 dd8ff6 9 API calls __wcsicmp_l 99164->99705 99166 dd3160 99166->98956 99167->98956 99169 db9436 99168->99169 99170 dd0ff6 Mailbox 59 API calls 99169->99170 99171 db9444 99170->99171 99172 db3936 99171->99172 99707 db935c 59 API calls Mailbox 99171->99707 99174 db91b0 99172->99174 99708 db92c0 99174->99708 99176 db91bf 99177 dd0ff6 Mailbox 59 API calls 99176->99177 99178 db3944 99176->99178 99177->99178 99179 db9040 99178->99179 99180 def5a5 99179->99180 99186 db9057 99179->99186 99180->99186 99718 db8d3b 59 API calls Mailbox 99180->99718 99182 db9158 99184 dd0ff6 Mailbox 59 API calls 99182->99184 99183 db91a0 99717 db9e9c 60 API calls Mailbox 99183->99717 99187 db915f 99184->99187 99186->99182 99186->99183 99186->99187 99187->98982 99189 db5045 85 API calls 99188->99189 99190 e19854 99189->99190 99719 e199be 99190->99719 99193 db506b 74 API calls 99194 e19881 99193->99194 99195 db506b 74 API calls 99194->99195 99196 e19891 99195->99196 99197 db506b 74 API calls 99196->99197 99198 e198ac 99197->99198 99199 db506b 74 API calls 99198->99199 99200 e198c7 99199->99200 99201 db5045 85 API calls 99200->99201 99202 e198de 99201->99202 99203 dd594c std::exception::_Copy_str 58 API calls 99202->99203 99204 e198e5 99203->99204 99205 dd594c std::exception::_Copy_str 58 API calls 99204->99205 99206 e198ef 99205->99206 99207 db506b 74 API calls 99206->99207 99208 e19903 99207->99208 99209 e19393 GetSystemTimeAsFileTime 99208->99209 99210 e19916 99209->99210 99211 e19940 99210->99211 99212 e1992b 99210->99212 99214 e199a5 99211->99214 99215 e19946 99211->99215 99213 dd2f95 _free 58 API calls 99212->99213 99217 e19931 99213->99217 99216 dd2f95 _free 58 API calls 99214->99216 99725 e18d90 99215->99725 99222 ded3c1 99216->99222 99220 dd2f95 _free 58 API calls 99217->99220 99220->99222 99221 dd2f95 _free 58 API calls 99221->99222 99222->98922 99223 db4faa 99222->99223 99224 db4fbb 99223->99224 99225 db4fb4 99223->99225 99227 db4fdb FreeLibrary 99224->99227 99228 db4fca 99224->99228 99226 dd55d6 __fcloseall 83 API calls 99225->99226 99226->99224 99227->99228 99228->98922 99230 db7faf 59 API calls 99229->99230 99231 db7b5d 99230->99231 99231->99111 99281 db4d61 99232->99281 99235 db4d61 2 API calls 99238 db4d3a 99235->99238 99236 db4d4a FreeLibrary 99237 db4d53 99236->99237 99239 dd548b 99237->99239 99238->99236 99238->99237 99285 dd54a0 99239->99285 99241 db4f5c 99241->99126 99241->99127 99442 db4d94 99242->99442 99245 db4ced 99246 db4d08 99245->99246 99247 db4cff FreeLibrary 99245->99247 99249 db4dd0 99246->99249 99247->99246 99248 db4d94 2 API calls 99248->99245 99250 dd0ff6 Mailbox 59 API calls 99249->99250 99251 db4de5 99250->99251 99252 db538e 59 API calls 99251->99252 99253 db4df1 _memmove 99252->99253 99254 db4e2c 99253->99254 99255 db4ee9 99253->99255 99256 db4f21 99253->99256 99257 db5027 69 API calls 99254->99257 99446 db4fe9 CreateStreamOnHGlobal 99255->99446 99457 e19ba5 95 API calls 99256->99457 99265 db4e35 99257->99265 99260 db506b 74 API calls 99260->99265 99262 db4ec9 99262->99134 99263 dedcd0 99264 db5045 85 API calls 99263->99264 99266 dedce4 99264->99266 99265->99260 99265->99262 99265->99263 99452 db5045 99265->99452 99267 db506b 74 API calls 99266->99267 99267->99262 99269 db507d 99268->99269 99270 deddf6 99268->99270 99481 dd5812 99269->99481 99273 e19393 99680 e191e9 99273->99680 99275 e193a9 99275->99142 99277 deddb9 99276->99277 99278 db5036 99276->99278 99685 dd5e90 99278->99685 99280 db503e 99280->99144 99282 db4d2e 99281->99282 99283 db4d6a LoadLibraryA 99281->99283 99282->99235 99282->99238 99283->99282 99284 db4d7b GetProcAddress 99283->99284 99284->99282 99287 dd54ac __read 99285->99287 99286 dd54bf 99334 dd8d68 58 API calls __getptd_noexit 99286->99334 99287->99286 99289 dd54f0 99287->99289 99304 de0738 99289->99304 99290 dd54c4 99335 dd8ff6 9 API calls __wcsicmp_l 99290->99335 99293 dd54f5 99294 dd54fe 99293->99294 99295 dd550b 99293->99295 99336 dd8d68 58 API calls __getptd_noexit 99294->99336 99297 dd5535 99295->99297 99298 dd5515 99295->99298 99319 de0857 99297->99319 99337 dd8d68 58 API calls __getptd_noexit 99298->99337 99299 dd54cf @_EH4_CallFilterFunc@8 __read 99299->99241 99305 de0744 __read 99304->99305 99306 dd9e4b __lock 58 API calls 99305->99306 99317 de0752 99306->99317 99307 de07c6 99339 de084e 99307->99339 99308 de07cd 99309 dd8a5d __malloc_crt 58 API calls 99308->99309 99311 de07d4 99309->99311 99311->99307 99344 dda06b InitializeCriticalSectionAndSpinCount 99311->99344 99312 de0843 __read 99312->99293 99314 dd9ed3 __mtinitlocknum 58 API calls 99314->99317 99316 de07fa EnterCriticalSection 99316->99307 99317->99307 99317->99308 99317->99314 99342 dd6e8d 59 API calls __lock 99317->99342 99343 dd6ef7 LeaveCriticalSection LeaveCriticalSection _doexit 99317->99343 99327 de0877 __wopenfile 99319->99327 99320 de0891 99349 dd8d68 58 API calls __getptd_noexit 99320->99349 99322 de0896 99350 dd8ff6 9 API calls __wcsicmp_l 99322->99350 99324 de0aaf 99346 de87f1 99324->99346 99325 dd5540 99338 dd5562 LeaveCriticalSection LeaveCriticalSection _fseek 99325->99338 99327->99320 99333 de0a4c 99327->99333 99351 dd3a0b 60 API calls 2 library calls 99327->99351 99329 de0a45 99329->99333 99352 dd3a0b 60 API calls 2 library calls 99329->99352 99331 de0a64 99331->99333 99353 dd3a0b 60 API calls 2 library calls 99331->99353 99333->99320 99333->99324 99334->99290 99335->99299 99336->99299 99337->99299 99338->99299 99345 dd9fb5 LeaveCriticalSection 99339->99345 99341 de0855 99341->99312 99342->99317 99343->99317 99344->99316 99345->99341 99354 de7fd5 99346->99354 99348 de880a 99348->99325 99349->99322 99350->99325 99351->99329 99352->99331 99353->99333 99355 de7fe1 __read 99354->99355 99356 de7ff7 99355->99356 99359 de802d 99355->99359 99439 dd8d68 58 API calls __getptd_noexit 99356->99439 99358 de7ffc 99440 dd8ff6 9 API calls __wcsicmp_l 99358->99440 99365 de809e 99359->99365 99362 de8049 99441 de8072 LeaveCriticalSection __unlock_fhandle 99362->99441 99364 de8006 __read 99364->99348 99366 de80be 99365->99366 99367 dd471a __wsopen_nolock 58 API calls 99366->99367 99369 de80da 99367->99369 99368 dd9006 __invoke_watson 8 API calls 99370 de87f0 99368->99370 99372 de8114 99369->99372 99378 de8137 99369->99378 99388 de8211 99369->99388 99371 de7fd5 __wsopen_helper 103 API calls 99370->99371 99373 de880a 99371->99373 99374 dd8d34 __read_nolock 58 API calls 99372->99374 99373->99362 99375 de8119 99374->99375 99376 dd8d68 __wcsicmp_l 58 API calls 99375->99376 99377 de8126 99376->99377 99379 dd8ff6 __wcsicmp_l 9 API calls 99377->99379 99380 de81f5 99378->99380 99387 de81d3 99378->99387 99381 de8130 99379->99381 99382 dd8d34 __read_nolock 58 API calls 99380->99382 99381->99362 99383 de81fa 99382->99383 99384 dd8d68 __wcsicmp_l 58 API calls 99383->99384 99385 de8207 99384->99385 99386 dd8ff6 __wcsicmp_l 9 API calls 99385->99386 99386->99388 99389 ddd4d4 __alloc_osfhnd 61 API calls 99387->99389 99388->99368 99390 de82a1 99389->99390 99391 de82ce 99390->99391 99392 de82ab 99390->99392 99393 de7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99391->99393 99394 dd8d34 __read_nolock 58 API calls 99392->99394 99404 de82f0 99393->99404 99395 de82b0 99394->99395 99397 dd8d68 __wcsicmp_l 58 API calls 99395->99397 99396 de836e GetFileType 99398 de83bb 99396->99398 99399 de8379 GetLastError 99396->99399 99401 de82ba 99397->99401 99411 ddd76a __set_osfhnd 59 API calls 99398->99411 99403 dd8d47 __dosmaperr 58 API calls 99399->99403 99400 de833c GetLastError 99405 dd8d47 __dosmaperr 58 API calls 99400->99405 99402 dd8d68 __wcsicmp_l 58 API calls 99401->99402 99402->99381 99406 de83a0 CloseHandle 99403->99406 99404->99396 99404->99400 99407 de7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99404->99407 99408 de8361 99405->99408 99406->99408 99409 de83ae 99406->99409 99410 de8331 99407->99410 99413 dd8d68 __wcsicmp_l 58 API calls 99408->99413 99412 dd8d68 __wcsicmp_l 58 API calls 99409->99412 99410->99396 99410->99400 99416 de83d9 99411->99416 99414 de83b3 99412->99414 99413->99388 99414->99408 99415 de8594 99415->99388 99418 de8767 CloseHandle 99415->99418 99416->99415 99417 de1b11 __lseeki64_nolock 60 API calls 99416->99417 99436 de845a 99416->99436 99419 de8443 99417->99419 99420 de7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99418->99420 99422 dd8d34 __read_nolock 58 API calls 99419->99422 99419->99436 99421 de878e 99420->99421 99424 de87c2 99421->99424 99425 de8796 GetLastError 99421->99425 99422->99436 99423 de10ab 70 API calls __read_nolock 99423->99436 99424->99388 99426 dd8d47 __dosmaperr 58 API calls 99425->99426 99427 de87a2 99426->99427 99431 ddd67d __free_osfhnd 59 API calls 99427->99431 99428 de0d2d __close_nolock 61 API calls 99428->99436 99429 de848c 99430 de99f2 __chsize_nolock 82 API calls 99429->99430 99429->99436 99430->99429 99431->99424 99432 de1b11 60 API calls __lseeki64_nolock 99432->99436 99433 dddac6 __write 78 API calls 99433->99436 99434 de8611 99435 de0d2d __close_nolock 61 API calls 99434->99435 99437 de8618 99435->99437 99436->99415 99436->99423 99436->99428 99436->99429 99436->99432 99436->99433 99436->99434 99438 dd8d68 __wcsicmp_l 58 API calls 99437->99438 99438->99388 99439->99358 99440->99364 99441->99364 99443 db4ce1 99442->99443 99444 db4d9d LoadLibraryA 99442->99444 99443->99245 99443->99248 99444->99443 99445 db4dae GetProcAddress 99444->99445 99445->99443 99447 db5003 FindResourceExW 99446->99447 99451 db5020 99446->99451 99448 dedd5c LoadResource 99447->99448 99447->99451 99449 dedd71 SizeofResource 99448->99449 99448->99451 99450 dedd85 LockResource 99449->99450 99449->99451 99450->99451 99451->99254 99453 deddd4 99452->99453 99454 db5054 99452->99454 99458 dd5a7d 99454->99458 99456 db5062 99456->99265 99457->99254 99459 dd5a89 __read 99458->99459 99460 dd5a9b 99459->99460 99462 dd5ac1 99459->99462 99471 dd8d68 58 API calls __getptd_noexit 99460->99471 99473 dd6e4e 99462->99473 99464 dd5aa0 99472 dd8ff6 9 API calls __wcsicmp_l 99464->99472 99465 dd5ac7 99479 dd59ee 83 API calls 5 library calls 99465->99479 99468 dd5ad6 99480 dd5af8 LeaveCriticalSection LeaveCriticalSection _fseek 99468->99480 99470 dd5aab __read 99470->99456 99471->99464 99472->99470 99474 dd6e5e 99473->99474 99475 dd6e80 EnterCriticalSection 99473->99475 99474->99475 99476 dd6e66 99474->99476 99477 dd6e76 99475->99477 99478 dd9e4b __lock 58 API calls 99476->99478 99477->99465 99478->99477 99479->99468 99480->99470 99484 dd582d 99481->99484 99483 db508e 99483->99273 99485 dd5839 __read 99484->99485 99486 dd587c 99485->99486 99487 dd5874 __read 99485->99487 99490 dd584f _memset 99485->99490 99488 dd6e4e __lock_file 59 API calls 99486->99488 99487->99483 99489 dd5882 99488->99489 99497 dd564d 99489->99497 99511 dd8d68 58 API calls __getptd_noexit 99490->99511 99493 dd5869 99512 dd8ff6 9 API calls __wcsicmp_l 99493->99512 99498 dd5683 99497->99498 99500 dd5668 _memset 99497->99500 99513 dd58b6 LeaveCriticalSection LeaveCriticalSection _fseek 99498->99513 99499 dd5673 99609 dd8d68 58 API calls __getptd_noexit 99499->99609 99500->99498 99500->99499 99508 dd56c3 99500->99508 99502 dd5678 99610 dd8ff6 9 API calls __wcsicmp_l 99502->99610 99505 dd57d4 _memset 99612 dd8d68 58 API calls __getptd_noexit 99505->99612 99508->99498 99508->99505 99514 dd4916 99508->99514 99521 de10ab 99508->99521 99589 de0df7 99508->99589 99611 de0f18 58 API calls 3 library calls 99508->99611 99511->99493 99512->99487 99513->99487 99515 dd4935 99514->99515 99516 dd4920 99514->99516 99515->99508 99613 dd8d68 58 API calls __getptd_noexit 99516->99613 99518 dd4925 99614 dd8ff6 9 API calls __wcsicmp_l 99518->99614 99520 dd4930 99520->99508 99522 de10cc 99521->99522 99523 de10e3 99521->99523 99624 dd8d34 58 API calls __getptd_noexit 99522->99624 99524 de181b 99523->99524 99529 de111d 99523->99529 99639 dd8d34 58 API calls __getptd_noexit 99524->99639 99527 de10d1 99625 dd8d68 58 API calls __getptd_noexit 99527->99625 99531 de1125 99529->99531 99537 de113c 99529->99537 99530 de1820 99640 dd8d68 58 API calls __getptd_noexit 99530->99640 99626 dd8d34 58 API calls __getptd_noexit 99531->99626 99534 de1131 99641 dd8ff6 9 API calls __wcsicmp_l 99534->99641 99535 de112a 99627 dd8d68 58 API calls __getptd_noexit 99535->99627 99538 de1151 99537->99538 99540 de116b 99537->99540 99542 de1189 99537->99542 99569 de10d8 99537->99569 99628 dd8d34 58 API calls __getptd_noexit 99538->99628 99540->99538 99545 de1176 99540->99545 99543 dd8a5d __malloc_crt 58 API calls 99542->99543 99546 de1199 99543->99546 99615 de5ebb 99545->99615 99548 de11bc 99546->99548 99549 de11a1 99546->99549 99547 de128a 99550 de1303 ReadFile 99547->99550 99553 de12a0 GetConsoleMode 99547->99553 99631 de1b11 60 API calls 3 library calls 99548->99631 99629 dd8d68 58 API calls __getptd_noexit 99549->99629 99554 de1325 99550->99554 99555 de17e3 GetLastError 99550->99555 99560 de12b4 99553->99560 99561 de1300 99553->99561 99554->99555 99562 de12f5 99554->99562 99557 de12e3 99555->99557 99558 de17f0 99555->99558 99556 de11a6 99630 dd8d34 58 API calls __getptd_noexit 99556->99630 99571 de12e9 99557->99571 99632 dd8d47 58 API calls 3 library calls 99557->99632 99637 dd8d68 58 API calls __getptd_noexit 99558->99637 99560->99561 99564 de12ba ReadConsoleW 99560->99564 99561->99550 99562->99571 99573 de135a 99562->99573 99579 de15c7 99562->99579 99564->99562 99566 de12dd GetLastError 99564->99566 99565 de17f5 99638 dd8d34 58 API calls __getptd_noexit 99565->99638 99566->99557 99569->99508 99570 dd2f95 _free 58 API calls 99570->99569 99571->99569 99571->99570 99574 de13c6 ReadFile 99573->99574 99582 de1447 99573->99582 99575 de13e7 GetLastError 99574->99575 99584 de13f1 99574->99584 99575->99584 99576 de1504 99583 de14b4 MultiByteToWideChar 99576->99583 99635 de1b11 60 API calls 3 library calls 99576->99635 99577 de14f4 99634 dd8d68 58 API calls __getptd_noexit 99577->99634 99578 de16cd ReadFile 99581 de16f0 GetLastError 99578->99581 99588 de16fe 99578->99588 99579->99571 99579->99578 99581->99588 99582->99571 99582->99576 99582->99577 99582->99583 99583->99566 99583->99571 99584->99573 99633 de1b11 60 API calls 3 library calls 99584->99633 99588->99579 99636 de1b11 60 API calls 3 library calls 99588->99636 99590 de0e02 99589->99590 99594 de0e17 99589->99594 99675 dd8d68 58 API calls __getptd_noexit 99590->99675 99592 de0e07 99676 dd8ff6 9 API calls __wcsicmp_l 99592->99676 99595 de0e4c 99594->99595 99601 de0e12 99594->99601 99677 de6234 99594->99677 99597 dd4916 __stbuf 58 API calls 99595->99597 99598 de0e60 99597->99598 99642 de0f97 99598->99642 99600 de0e67 99600->99601 99602 dd4916 __stbuf 58 API calls 99600->99602 99601->99508 99603 de0e8a 99602->99603 99603->99601 99604 dd4916 __stbuf 58 API calls 99603->99604 99605 de0e96 99604->99605 99605->99601 99606 dd4916 __stbuf 58 API calls 99605->99606 99607 de0ea3 99606->99607 99608 dd4916 __stbuf 58 API calls 99607->99608 99608->99601 99609->99502 99610->99498 99611->99508 99612->99502 99613->99518 99614->99520 99616 de5ec6 99615->99616 99617 de5ed3 99615->99617 99618 dd8d68 __wcsicmp_l 58 API calls 99616->99618 99620 de5edf 99617->99620 99621 dd8d68 __wcsicmp_l 58 API calls 99617->99621 99619 de5ecb 99618->99619 99619->99547 99620->99547 99622 de5f00 99621->99622 99623 dd8ff6 __wcsicmp_l 9 API calls 99622->99623 99623->99619 99624->99527 99625->99569 99626->99535 99627->99534 99628->99535 99629->99556 99630->99569 99631->99545 99632->99571 99633->99584 99634->99571 99635->99583 99636->99588 99637->99565 99638->99571 99639->99530 99640->99534 99641->99569 99643 de0fa3 __read 99642->99643 99644 de0fc7 99643->99644 99645 de0fb0 99643->99645 99646 de108b 99644->99646 99648 de0fdb 99644->99648 99647 dd8d34 __read_nolock 58 API calls 99645->99647 99649 dd8d34 __read_nolock 58 API calls 99646->99649 99650 de0fb5 99647->99650 99651 de0ff9 99648->99651 99652 de1006 99648->99652 99653 de0ffe 99649->99653 99654 dd8d68 __wcsicmp_l 58 API calls 99650->99654 99656 dd8d34 __read_nolock 58 API calls 99651->99656 99657 de1028 99652->99657 99658 de1013 99652->99658 99661 dd8d68 __wcsicmp_l 58 API calls 99653->99661 99655 de0fbc __read 99654->99655 99655->99600 99656->99653 99660 ddd446 ___lock_fhandle 59 API calls 99657->99660 99659 dd8d34 __read_nolock 58 API calls 99658->99659 99663 de1018 99659->99663 99664 de102e 99660->99664 99662 de1020 99661->99662 99669 dd8ff6 __wcsicmp_l 9 API calls 99662->99669 99667 dd8d68 __wcsicmp_l 58 API calls 99663->99667 99665 de1054 99664->99665 99666 de1041 99664->99666 99670 dd8d68 __wcsicmp_l 58 API calls 99665->99670 99668 de10ab __read_nolock 70 API calls 99666->99668 99667->99662 99672 de104d 99668->99672 99669->99655 99671 de1059 99670->99671 99673 dd8d34 __read_nolock 58 API calls 99671->99673 99674 de1083 __read LeaveCriticalSection 99672->99674 99673->99672 99674->99655 99675->99592 99676->99601 99678 dd8a5d __malloc_crt 58 API calls 99677->99678 99679 de6249 99678->99679 99679->99595 99683 dd543a GetSystemTimeAsFileTime 99680->99683 99682 e191f8 99682->99275 99684 dd5468 __aulldiv 99683->99684 99684->99682 99686 dd5e9c __read 99685->99686 99687 dd5eae 99686->99687 99688 dd5ec3 99686->99688 99699 dd8d68 58 API calls __getptd_noexit 99687->99699 99690 dd6e4e __lock_file 59 API calls 99688->99690 99691 dd5ec9 99690->99691 99701 dd5b00 67 API calls 6 library calls 99691->99701 99692 dd5eb3 99700 dd8ff6 9 API calls __wcsicmp_l 99692->99700 99695 dd5ed4 99702 dd5ef4 LeaveCriticalSection LeaveCriticalSection _fseek 99695->99702 99697 dd5ee6 99698 dd5ebe __read 99697->99698 99698->99280 99699->99692 99700->99698 99701->99695 99702->99697 99703->99151 99704->99164 99705->99166 99706->99163 99707->99172 99709 db92c9 Mailbox 99708->99709 99710 def5c8 99709->99710 99715 db92d3 99709->99715 99712 dd0ff6 Mailbox 59 API calls 99710->99712 99711 db92da 99711->99176 99713 def5d4 99712->99713 99715->99711 99716 db9df0 59 API calls Mailbox 99715->99716 99716->99715 99717->99187 99718->99186 99721 e199d2 __tzset_nolock _wcscmp 99719->99721 99720 db506b 74 API calls 99720->99721 99721->99720 99722 e19393 GetSystemTimeAsFileTime 99721->99722 99723 e19866 99721->99723 99724 db5045 85 API calls 99721->99724 99722->99721 99723->99193 99723->99222 99724->99721 99726 e18d9b 99725->99726 99727 e18da9 99725->99727 99728 dd548b 115 API calls 99726->99728 99729 e18dee 99727->99729 99730 dd548b 115 API calls 99727->99730 99748 e18db2 99727->99748 99728->99727 99756 e1901b 99729->99756 99732 e18dd3 99730->99732 99732->99729 99734 e18ddc 99732->99734 99733 e18e32 99735 e18e57 99733->99735 99736 e18e36 99733->99736 99738 dd55d6 __fcloseall 83 API calls 99734->99738 99734->99748 99760 e18c33 99735->99760 99737 e18e43 99736->99737 99740 dd55d6 __fcloseall 83 API calls 99736->99740 99742 dd55d6 __fcloseall 83 API calls 99737->99742 99737->99748 99738->99748 99740->99737 99742->99748 99743 e18e85 99769 e18eb5 99743->99769 99744 e18e65 99745 e18e72 99744->99745 99747 dd55d6 __fcloseall 83 API calls 99744->99747 99745->99748 99750 dd55d6 __fcloseall 83 API calls 99745->99750 99747->99745 99748->99221 99750->99748 99753 e18ea0 99753->99748 99755 dd55d6 __fcloseall 83 API calls 99753->99755 99755->99748 99757 e19040 99756->99757 99759 e19029 __tzset_nolock _memmove 99756->99759 99758 dd5812 __fread_nolock 74 API calls 99757->99758 99758->99759 99759->99733 99761 dd594c std::exception::_Copy_str 58 API calls 99760->99761 99762 e18c42 99761->99762 99763 dd594c std::exception::_Copy_str 58 API calls 99762->99763 99764 e18c56 99763->99764 99765 dd594c std::exception::_Copy_str 58 API calls 99764->99765 99766 e18c6a 99765->99766 99767 e18f97 58 API calls 99766->99767 99768 e18c7d 99766->99768 99767->99768 99768->99743 99768->99744 99776 e18eca 99769->99776 99770 e18f82 99798 e191bf 99770->99798 99771 e18c8f 74 API calls 99771->99776 99773 e18e8c 99777 e18f97 99773->99777 99776->99770 99776->99771 99776->99773 99802 e18d2b 74 API calls 99776->99802 99803 e1909c 80 API calls 99776->99803 99778 e18fa4 99777->99778 99779 e18faa 99777->99779 99781 dd2f95 _free 58 API calls 99778->99781 99780 e18fbb 99779->99780 99782 dd2f95 _free 58 API calls 99779->99782 99783 dd2f95 _free 58 API calls 99780->99783 99784 e18e93 99780->99784 99781->99779 99782->99780 99783->99784 99784->99753 99785 dd55d6 99784->99785 99786 dd55e2 __read 99785->99786 99787 dd560e 99786->99787 99788 dd55f6 99786->99788 99790 dd6e4e __lock_file 59 API calls 99787->99790 99795 dd5606 __read 99787->99795 99905 dd8d68 58 API calls __getptd_noexit 99788->99905 99792 dd5620 99790->99792 99791 dd55fb 99906 dd8ff6 9 API calls __wcsicmp_l 99791->99906 99889 dd556a 99792->99889 99795->99753 99799 e191cc 99798->99799 99801 e191dd 99798->99801 99804 dd4a93 99799->99804 99801->99773 99802->99776 99803->99776 99805 dd4a9f __read 99804->99805 99806 dd4abd 99805->99806 99807 dd4ad5 99805->99807 99808 dd4acd __read 99805->99808 99829 dd8d68 58 API calls __getptd_noexit 99806->99829 99810 dd6e4e __lock_file 59 API calls 99807->99810 99808->99801 99812 dd4adb 99810->99812 99811 dd4ac2 99830 dd8ff6 9 API calls __wcsicmp_l 99811->99830 99817 dd493a 99812->99817 99820 dd4949 99817->99820 99826 dd4967 99817->99826 99818 dd4957 99881 dd8d68 58 API calls __getptd_noexit 99818->99881 99820->99818 99823 dd4981 _memmove 99820->99823 99820->99826 99821 dd495c 99882 dd8ff6 9 API calls __wcsicmp_l 99821->99882 99823->99826 99827 dd4916 __stbuf 58 API calls 99823->99827 99832 dddac6 99823->99832 99860 ddb05e 99823->99860 99883 dd4c6d 99823->99883 99831 dd4b0d LeaveCriticalSection LeaveCriticalSection _fseek 99826->99831 99827->99823 99829->99811 99830->99808 99831->99808 99833 dddad2 __read 99832->99833 99834 dddadf 99833->99834 99835 dddaf6 99833->99835 99836 dd8d34 __read_nolock 58 API calls 99834->99836 99837 dddb95 99835->99837 99839 dddb0a 99835->99839 99838 dddae4 99836->99838 99840 dd8d34 __read_nolock 58 API calls 99837->99840 99841 dd8d68 __wcsicmp_l 58 API calls 99838->99841 99842 dddb28 99839->99842 99843 dddb32 99839->99843 99844 dddb2d 99840->99844 99845 dddaeb __read 99841->99845 99846 dd8d34 __read_nolock 58 API calls 99842->99846 99847 ddd446 ___lock_fhandle 59 API calls 99843->99847 99849 dd8d68 __wcsicmp_l 58 API calls 99844->99849 99845->99823 99846->99844 99848 dddb38 99847->99848 99850 dddb5e 99848->99850 99851 dddb4b 99848->99851 99852 dddba1 99849->99852 99855 dd8d68 __wcsicmp_l 58 API calls 99850->99855 99853 dddbb5 __write_nolock 76 API calls 99851->99853 99854 dd8ff6 __wcsicmp_l 9 API calls 99852->99854 99856 dddb57 99853->99856 99854->99845 99857 dddb63 99855->99857 99859 dddb8d __write LeaveCriticalSection 99856->99859 99858 dd8d34 __read_nolock 58 API calls 99857->99858 99858->99856 99859->99845 99861 dd4916 __stbuf 58 API calls 99860->99861 99862 ddb06c 99861->99862 99863 ddb08e 99862->99863 99864 ddb077 99862->99864 99866 ddb093 99863->99866 99873 ddb0a0 __stbuf 99863->99873 99865 dd8d68 __wcsicmp_l 58 API calls 99864->99865 99876 ddb07c 99865->99876 99867 dd8d68 __wcsicmp_l 58 API calls 99866->99867 99867->99876 99868 ddb0fa 99869 ddb17e 99868->99869 99870 ddb104 99868->99870 99871 dddac6 __write 78 API calls 99869->99871 99872 ddb11e 99870->99872 99877 ddb135 99870->99877 99871->99876 99874 dddac6 __write 78 API calls 99872->99874 99873->99868 99875 de5ebb __stbuf 58 API calls 99873->99875 99873->99876 99878 ddb0ef 99873->99878 99874->99876 99875->99878 99876->99823 99877->99876 99879 de1a15 __lseeki64 62 API calls 99877->99879 99878->99868 99880 de6234 __getbuf 58 API calls 99878->99880 99879->99876 99880->99868 99881->99821 99882->99826 99884 dd4c80 99883->99884 99888 dd4ca4 99883->99888 99885 dd4916 __stbuf 58 API calls 99884->99885 99884->99888 99886 dd4c9d 99885->99886 99887 dddac6 __write 78 API calls 99886->99887 99887->99888 99888->99823 99890 dd558d 99889->99890 99891 dd5579 99889->99891 99893 dd4c6d __flush 78 API calls 99890->99893 99897 dd5589 99890->99897 99938 dd8d68 58 API calls __getptd_noexit 99891->99938 99895 dd5599 99893->99895 99894 dd557e 99939 dd8ff6 9 API calls __wcsicmp_l 99894->99939 99908 de0dc7 99895->99908 99907 dd5645 LeaveCriticalSection LeaveCriticalSection _fseek 99897->99907 99900 dd4916 __stbuf 58 API calls 99901 dd55a7 99900->99901 99912 de0c52 99901->99912 99903 dd55ad 99903->99897 99904 dd2f95 _free 58 API calls 99903->99904 99904->99897 99905->99791 99906->99795 99907->99795 99909 dd55a1 99908->99909 99910 de0dd4 99908->99910 99909->99900 99910->99909 99911 dd2f95 _free 58 API calls 99910->99911 99911->99909 99913 de0c5e __read 99912->99913 99914 de0c6b 99913->99914 99915 de0c82 99913->99915 99964 dd8d34 58 API calls __getptd_noexit 99914->99964 99916 de0d0d 99915->99916 99918 de0c92 99915->99918 99969 dd8d34 58 API calls __getptd_noexit 99916->99969 99921 de0cba 99918->99921 99922 de0cb0 99918->99922 99920 de0c70 99965 dd8d68 58 API calls __getptd_noexit 99920->99965 99940 ddd446 99921->99940 99966 dd8d34 58 API calls __getptd_noexit 99922->99966 99923 de0cb5 99970 dd8d68 58 API calls __getptd_noexit 99923->99970 99928 de0cc0 99930 de0cde 99928->99930 99931 de0cd3 99928->99931 99929 de0d19 99971 dd8ff6 9 API calls __wcsicmp_l 99929->99971 99967 dd8d68 58 API calls __getptd_noexit 99930->99967 99949 de0d2d 99931->99949 99934 de0c77 __read 99934->99903 99936 de0cd9 99968 de0d05 LeaveCriticalSection __unlock_fhandle 99936->99968 99938->99894 99939->99897 99941 ddd452 __read 99940->99941 99942 ddd4a1 EnterCriticalSection 99941->99942 99944 dd9e4b __lock 58 API calls 99941->99944 99943 ddd4c7 __read 99942->99943 99943->99928 99945 ddd477 99944->99945 99948 ddd48f 99945->99948 99972 dda06b InitializeCriticalSectionAndSpinCount 99945->99972 99973 ddd4cb LeaveCriticalSection _doexit 99948->99973 99974 ddd703 99949->99974 99951 de0d91 99987 ddd67d 59 API calls 2 library calls 99951->99987 99952 de0d3b 99952->99951 99953 de0d6f 99952->99953 99955 ddd703 __lseek_nolock 58 API calls 99952->99955 99953->99951 99956 ddd703 __lseek_nolock 58 API calls 99953->99956 99959 de0d66 99955->99959 99960 de0d7b FindCloseChangeNotification 99956->99960 99957 de0d99 99958 de0dbb 99957->99958 99988 dd8d47 58 API calls 3 library calls 99957->99988 99958->99936 99962 ddd703 __lseek_nolock 58 API calls 99959->99962 99960->99951 99963 de0d87 GetLastError 99960->99963 99962->99953 99963->99951 99964->99920 99965->99934 99966->99923 99967->99936 99968->99934 99969->99923 99970->99929 99971->99934 99972->99948 99973->99942 99975 ddd70e 99974->99975 99977 ddd723 99974->99977 99976 dd8d34 __read_nolock 58 API calls 99975->99976 99979 ddd713 99976->99979 99978 dd8d34 __read_nolock 58 API calls 99977->99978 99980 ddd748 99977->99980 99981 ddd752 99978->99981 99982 dd8d68 __wcsicmp_l 58 API calls 99979->99982 99980->99952 99984 dd8d68 __wcsicmp_l 58 API calls 99981->99984 99983 ddd71b 99982->99983 99983->99952 99985 ddd75a 99984->99985 99986 dd8ff6 __wcsicmp_l 9 API calls 99985->99986 99986->99983 99987->99957 99988->99958 99990 de1b90 __write_nolock 99989->99990 99991 dd09e2 GetLongPathNameW 99990->99991 99992 db7d2c 59 API calls 99991->99992 99993 db741d 99992->99993 99994 db716b 99993->99994 99995 db77c7 59 API calls 99994->99995 99996 db717d 99995->99996 99997 db48ae 60 API calls 99996->99997 99998 db7188 99997->99998 99999 deecae 99998->99999 100000 db7193 99998->100000 100005 deecc8 99999->100005 100047 db7a68 61 API calls 99999->100047 100001 db3f84 59 API calls 100000->100001 100003 db719f 100001->100003 100041 db34c2 100003->100041 100006 db71b2 Mailbox 100006->99000 100008 db4f3d 136 API calls 100007->100008 100009 db69ef 100008->100009 100010 dee45a 100009->100010 100011 db4f3d 136 API calls 100009->100011 100012 e197e5 122 API calls 100010->100012 100013 db6a03 100011->100013 100014 dee46f 100012->100014 100013->100010 100015 db6a0b 100013->100015 100016 dee473 100014->100016 100017 dee490 100014->100017 100019 dee47b 100015->100019 100020 db6a17 100015->100020 100021 db4faa 84 API calls 100016->100021 100018 dd0ff6 Mailbox 59 API calls 100017->100018 100038 dee4d5 Mailbox 100018->100038 100140 e14534 90 API calls _wprintf 100019->100140 100048 db6bec 100020->100048 100021->100019 100025 dee489 100025->100017 100026 dee689 100027 dd2f95 _free 58 API calls 100026->100027 100028 dee691 100027->100028 100029 db4faa 84 API calls 100028->100029 100034 dee69a 100029->100034 100033 dd2f95 _free 58 API calls 100033->100034 100034->100033 100035 db4faa 84 API calls 100034->100035 100146 e0fcb1 89 API calls 4 library calls 100034->100146 100035->100034 100037 db7f41 59 API calls 100037->100038 100038->100026 100038->100034 100038->100037 100141 e0fc4d 59 API calls 2 library calls 100038->100141 100142 e0fb6e 61 API calls 2 library calls 100038->100142 100143 e17621 59 API calls Mailbox 100038->100143 100144 db766f 59 API calls 2 library calls 100038->100144 100145 db74bd 59 API calls Mailbox 100038->100145 100042 db34d4 100041->100042 100046 db34f3 _memmove 100041->100046 100045 dd0ff6 Mailbox 59 API calls 100042->100045 100043 dd0ff6 Mailbox 59 API calls 100044 db350a 100043->100044 100044->100006 100045->100046 100046->100043 100047->99999 100049 dee847 100048->100049 100050 db6c15 100048->100050 100238 e0fcb1 89 API calls 4 library calls 100049->100238 100152 db5906 60 API calls Mailbox 100050->100152 100053 db6c37 100153 db5956 100053->100153 100054 dee85a 100239 e0fcb1 89 API calls 4 library calls 100054->100239 100057 db6c54 100059 db77c7 59 API calls 100057->100059 100061 db6c60 100059->100061 100060 dee876 100063 db6cc1 100060->100063 100166 dd0b9b 60 API calls __write_nolock 100061->100166 100065 db6ccf 100063->100065 100066 dee889 100063->100066 100064 db6c6c 100068 db77c7 59 API calls 100064->100068 100067 db77c7 59 API calls 100065->100067 100069 db5dcf CloseHandle 100066->100069 100070 db6cd8 100067->100070 100071 db6c78 100068->100071 100072 dee895 100069->100072 100074 db77c7 59 API calls 100070->100074 100075 db48ae 60 API calls 100071->100075 100073 db4f3d 136 API calls 100072->100073 100076 dee8b1 100073->100076 100077 db6ce1 100074->100077 100078 db6c86 100075->100078 100079 dee8da 100076->100079 100082 e197e5 122 API calls 100076->100082 100176 db46f9 100077->100176 100167 db59b0 ReadFile SetFilePointerEx 100078->100167 100240 e0fcb1 89 API calls 4 library calls 100079->100240 100086 dee8cd 100082->100086 100083 db6cf8 100085 db6cb2 100168 db5c4e 100085->100168 100089 dee8f6 100086->100089 100090 dee8d5 100086->100090 100093 db4faa 84 API calls 100089->100093 100092 db4faa 84 API calls 100090->100092 100092->100079 100094 dee8fb 100093->100094 100095 dd0ff6 Mailbox 59 API calls 100094->100095 100101 dee92f 100095->100101 100099 db3bcd 100099->98867 100099->98893 100241 db766f 59 API calls 2 library calls 100101->100241 100107 deeb69 100247 e17581 59 API calls Mailbox 100107->100247 100109 db6e6c Mailbox 100147 db5934 100109->100147 100113 deeb8b 100248 e1f835 59 API calls 2 library calls 100113->100248 100116 deeb98 100117 dd2f95 _free 58 API calls 100116->100117 100117->100109 100130 db7f41 59 API calls 100137 dee978 Mailbox 100130->100137 100133 deebbb 100249 e0fcb1 89 API calls 4 library calls 100133->100249 100136 deebd4 100138 dd2f95 _free 58 API calls 100136->100138 100137->100107 100137->100130 100137->100133 100242 e0fc4d 59 API calls 2 library calls 100137->100242 100243 e0fb6e 61 API calls 2 library calls 100137->100243 100244 e17621 59 API calls Mailbox 100137->100244 100245 db766f 59 API calls 2 library calls 100137->100245 100246 db7373 59 API calls Mailbox 100137->100246 100139 dee8f1 100138->100139 100139->100109 100140->100025 100141->100038 100142->100038 100143->100038 100144->100038 100145->100038 100146->100034 100148 db5dcf CloseHandle 100147->100148 100149 db593c Mailbox 100148->100149 100150 db5dcf CloseHandle 100149->100150 100151 db594b 100150->100151 100151->100099 100152->100053 100154 db5dcf CloseHandle 100153->100154 100155 db5962 100154->100155 100252 db5df9 100155->100252 100157 db59a4 100157->100054 100157->100057 100158 db5981 100158->100157 100260 db5770 100158->100260 100160 db5993 100277 db53db SetFilePointerEx SetFilePointerEx 100160->100277 100162 db599a 100162->100157 100163 dee030 100162->100163 100278 e13696 SetFilePointerEx SetFilePointerEx WriteFile 100163->100278 100165 dee060 100165->100157 100166->100064 100167->100085 100175 db5c68 100168->100175 100169 db5cef SetFilePointerEx 100291 db5dae SetFilePointerEx 100169->100291 100170 dee151 100292 db5dae SetFilePointerEx 100170->100292 100173 db5cc3 100173->100063 100174 dee16b 100175->100169 100175->100170 100175->100173 100177 db77c7 59 API calls 100176->100177 100178 db470f 100177->100178 100179 db77c7 59 API calls 100178->100179 100180 db4717 100179->100180 100181 db77c7 59 API calls 100180->100181 100182 db471f 100181->100182 100183 db77c7 59 API calls 100182->100183 100184 db4727 100183->100184 100185 db475b 100184->100185 100186 ded8fb 100184->100186 100187 db79ab 59 API calls 100185->100187 100188 db81a7 59 API calls 100186->100188 100189 db4769 100187->100189 100190 ded904 100188->100190 100191 db7e8c 59 API calls 100189->100191 100192 db7eec 59 API calls 100190->100192 100193 db4773 100191->100193 100195 db479e 100192->100195 100194 db79ab 59 API calls 100193->100194 100193->100195 100198 db4794 100194->100198 100196 db47de 100195->100196 100199 db47bd 100195->100199 100209 ded924 100195->100209 100293 db79ab 100196->100293 100201 db7e8c 59 API calls 100198->100201 100203 db7b52 59 API calls 100199->100203 100200 db47ef 100204 db4801 100200->100204 100207 db81a7 59 API calls 100200->100207 100201->100195 100202 ded9f4 100205 db7d2c 59 API calls 100202->100205 100206 db47c7 100203->100206 100208 db4811 100204->100208 100210 db81a7 59 API calls 100204->100210 100216 ded9b1 100205->100216 100206->100196 100213 db79ab 59 API calls 100206->100213 100207->100204 100212 db4818 100208->100212 100214 db81a7 59 API calls 100208->100214 100209->100202 100211 ded9dd 100209->100211 100224 ded95b 100209->100224 100210->100208 100211->100202 100219 ded9c8 100211->100219 100215 db81a7 59 API calls 100212->100215 100217 db481f Mailbox 100212->100217 100213->100196 100214->100212 100215->100217 100216->100196 100218 db7b52 59 API calls 100216->100218 100306 db7a84 59 API calls 2 library calls 100216->100306 100217->100083 100218->100216 100222 db7d2c 59 API calls 100219->100222 100220 ded9b9 100221 db7d2c 59 API calls 100220->100221 100221->100216 100222->100216 100224->100220 100225 ded9a4 100224->100225 100226 db7d2c 59 API calls 100225->100226 100226->100216 100238->100054 100239->100060 100240->100139 100241->100137 100242->100137 100243->100137 100244->100137 100245->100137 100246->100137 100247->100113 100248->100116 100249->100136 100253 db5e12 CreateFileW 100252->100253 100254 dee181 100252->100254 100255 db5e34 100253->100255 100254->100255 100256 dee187 CreateFileW 100254->100256 100255->100158 100256->100255 100257 dee1ad 100256->100257 100258 db5c4e 2 API calls 100257->100258 100259 dee1b8 100258->100259 100259->100255 100261 dedfce 100260->100261 100262 db578b 100260->100262 100276 db581a 100261->100276 100285 db5e3f 100261->100285 100263 db5c4e 2 API calls 100262->100263 100262->100276 100264 db57ad 100263->100264 100265 db538e 59 API calls 100264->100265 100267 db57b7 100265->100267 100267->100261 100268 db57c4 100267->100268 100269 dd0ff6 Mailbox 59 API calls 100268->100269 100270 db57cf 100269->100270 100271 db538e 59 API calls 100270->100271 100272 db57da 100271->100272 100279 db5d20 100272->100279 100274 db5807 100275 db5c4e 2 API calls 100274->100275 100275->100276 100276->100160 100277->100162 100278->100165 100280 db5d93 100279->100280 100284 db5d2e 100279->100284 100290 db5dae SetFilePointerEx 100280->100290 100281 db5d56 100281->100274 100283 db5d66 ReadFile 100283->100281 100283->100284 100284->100281 100284->100283 100286 db5c4e 2 API calls 100285->100286 100287 db5e60 100286->100287 100288 db5c4e 2 API calls 100287->100288 100289 db5e74 100288->100289 100289->100276 100290->100284 100291->100173 100292->100174 100294 db79ba 100293->100294 100295 db7a17 100293->100295 100294->100295 100297 db79c5 100294->100297 100296 db7e8c 59 API calls 100295->100296 100303 db79e8 _memmove 100296->100303 100298 db79e0 100297->100298 100299 deef32 100297->100299 100307 db8087 59 API calls Mailbox 100298->100307 100300 db8189 59 API calls 100299->100300 100302 deef3c 100300->100302 100304 dd0ff6 Mailbox 59 API calls 100302->100304 100303->100200 100305 deef5c 100304->100305 100306->100216 100307->100303 100309 db6ef5 100308->100309 100313 db7009 100308->100313 100310 dd0ff6 Mailbox 59 API calls 100309->100310 100309->100313 100312 db6f1c 100310->100312 100311 dd0ff6 Mailbox 59 API calls 100317 db6f91 100311->100317 100312->100311 100313->99006 100317->100313 100321 db63a0 100317->100321 100346 db74bd 59 API calls Mailbox 100317->100346 100347 e06ac9 59 API calls Mailbox 100317->100347 100348 db766f 59 API calls 2 library calls 100317->100348 100319->99009 100320->99011 100322 db7b76 59 API calls 100321->100322 100339 db63c5 100322->100339 100323 db65ca 100351 db766f 59 API calls 2 library calls 100323->100351 100328 db766f 59 API calls 100328->100339 100329 dee41f 100333 db7eec 59 API calls 100333->100339 100337 db68f9 _memmove 100338 dee3bb 100339->100323 100339->100328 100339->100329 100339->100333 100339->100337 100339->100338 100343 db7faf 59 API calls 100339->100343 100349 db60cc 60 API calls 100339->100349 100350 db5ea1 59 API calls Mailbox 100339->100350 100352 db5fd2 60 API calls 100339->100352 100353 db7a84 59 API calls 2 library calls 100339->100353 100346->100317 100347->100317 100348->100317 100349->100339 100350->100339 100352->100339 100353->100339 100357->99024 100358->99025 100867 db1055 100872 db2649 100867->100872 100870 dd2f80 __cinit 67 API calls 100871 db1064 100870->100871 100873 db77c7 59 API calls 100872->100873 100874 db26b7 100873->100874 100879 db3582 100874->100879 100876 db2754 100878 db105a 100876->100878 100882 db3416 59 API calls 2 library calls 100876->100882 100878->100870 100883 db35b0 100879->100883 100882->100876 100884 db35a1 100883->100884 100885 db35bd 100883->100885 100884->100876 100885->100884 100886 db35c4 RegOpenKeyExW 100885->100886 100886->100884 100887 db35de RegQueryValueExW 100886->100887 100888 db35ff 100887->100888 100889 db3614 RegCloseKey 100887->100889 100888->100889 100889->100884 100890 dbe70b 100893 dbd260 100890->100893 100892 dbe719 100894 dbd27d 100893->100894 100923 dbd4dd 100893->100923 100895 df2abb 100894->100895 100896 df2b0a 100894->100896 100900 dbd2a4 100894->100900 100899 df2abe 100895->100899 100907 df2ad9 100895->100907 100937 e2a6fb 341 API calls __cinit 100896->100937 100899->100900 100901 df2aca 100899->100901 100902 dd2f80 __cinit 67 API calls 100900->100902 100906 dbd6ab 100900->100906 100912 df2c26 100900->100912 100915 db8620 69 API calls 100900->100915 100917 dbd594 100900->100917 100900->100923 100924 dba000 341 API calls 100900->100924 100925 db81a7 59 API calls 100900->100925 100927 db88a0 68 API calls __cinit 100900->100927 100928 db86a2 68 API calls 100900->100928 100930 db859a 68 API calls 100900->100930 100931 dbd0dc 341 API calls 100900->100931 100932 db9f3a 59 API calls Mailbox 100900->100932 100933 dbd060 89 API calls 100900->100933 100934 dbcedd 341 API calls 100900->100934 100938 db8bb2 68 API calls 100900->100938 100939 db9e9c 60 API calls Mailbox 100900->100939 100940 e06d03 60 API calls 100900->100940 100935 e2ad0f 341 API calls 100901->100935 100902->100900 100905 df2cdf 100905->100905 100906->100892 100907->100923 100936 e2b1b7 341 API calls 3 library calls 100907->100936 100911 dbd5a3 100911->100892 100941 e2aa66 89 API calls 100912->100941 100915->100900 100929 db8bb2 68 API calls 100917->100929 100923->100906 100942 e1a0b5 89 API calls 4 library calls 100923->100942 100924->100900 100925->100900 100927->100900 100928->100900 100929->100911 100930->100900 100931->100900 100932->100900 100933->100900 100934->100900 100935->100906 100936->100923 100937->100900 100938->100900 100939->100900 100940->100900 100941->100923 100942->100905 100943 db568a 100950 db5c18 100943->100950 100949 db56ba Mailbox 100951 dd0ff6 Mailbox 59 API calls 100950->100951 100952 db5c2b 100951->100952 100953 dd0ff6 Mailbox 59 API calls 100952->100953 100954 db569c 100953->100954 100955 db5632 100954->100955 100962 db5a2f 100955->100962 100957 db5674 100957->100949 100961 db81c1 61 API calls Mailbox 100957->100961 100958 db5d20 2 API calls 100959 db5643 100958->100959 100959->100957 100959->100958 100969 db5bda 100959->100969 100961->100949 100963 dee065 100962->100963 100964 db5a40 100962->100964 100978 e06443 59 API calls Mailbox 100963->100978 100964->100959 100966 dee06f 100967 dd0ff6 Mailbox 59 API calls 100966->100967 100968 dee07b 100967->100968 100970 db5bee 100969->100970 100971 dee117 100969->100971 100979 db5b19 100970->100979 100984 e06443 59 API calls Mailbox 100971->100984 100974 db5bfa 100974->100959 100975 dee122 100976 dd0ff6 Mailbox 59 API calls 100975->100976 100977 dee137 _memmove 100976->100977 100978->100966 100980 db5b31 100979->100980 100983 db5b2a _memmove 100979->100983 100981 dd0ff6 Mailbox 59 API calls 100980->100981 100982 dee0a7 100980->100982 100981->100983 100983->100974 100984->100975 100985 df220e GetTempPathW 100986 df222b 100985->100986 100987 30423b0 101001 3040000 100987->101001 100989 304248a 101004 30422a0 100989->101004 101007 30434b0 GetPEB 101001->101007 101003 304068b 101003->100989 101005 30422a9 Sleep 101004->101005 101006 30422b7 101005->101006 101008 30434da 101007->101008 101008->101003 101009 dbb56e 101016 dcfb84 101009->101016 101011 dbb584 101025 dbc707 101011->101025 101013 dbb5ac 101015 dba4e8 101013->101015 101037 e1a0b5 89 API calls 4 library calls 101013->101037 101017 dcfb90 101016->101017 101018 dcfba2 101016->101018 101038 db9e9c 60 API calls Mailbox 101017->101038 101020 dcfba8 101018->101020 101021 dcfbd1 101018->101021 101023 dd0ff6 Mailbox 59 API calls 101020->101023 101039 db9e9c 60 API calls Mailbox 101021->101039 101024 dcfb9a 101023->101024 101024->101011 101026 db7b76 59 API calls 101025->101026 101027 dbc72c _wcscmp 101025->101027 101026->101027 101028 db7f41 59 API calls 101027->101028 101030 dbc760 Mailbox 101027->101030 101029 df1abb 101028->101029 101031 db7c8e 59 API calls 101029->101031 101030->101013 101032 df1ac6 101031->101032 101040 db859a 68 API calls 101032->101040 101034 df1ad7 101036 df1adb Mailbox 101034->101036 101041 db9e9c 60 API calls Mailbox 101034->101041 101036->101013 101037->101015 101038->101024 101039->101024 101040->101034 101041->101036 101042 deff06 101043 deff10 101042->101043 101083 dbac90 Mailbox _memmove 101042->101083 101243 db8e34 59 API calls Mailbox 101043->101243 101044 dd0ff6 59 API calls Mailbox 101044->101083 101049 dd0ff6 59 API calls Mailbox 101067 dba097 Mailbox 101049->101067 101052 dbb5d5 101054 db81a7 59 API calls 101052->101054 101065 dba1b7 101054->101065 101055 df047f 101247 e1a0b5 89 API calls 4 library calls 101055->101247 101056 dbb5da 101253 e1a0b5 89 API calls 4 library calls 101056->101253 101057 db7f41 59 API calls 101057->101083 101060 db81a7 59 API calls 101060->101067 101061 db77c7 59 API calls 101061->101067 101062 e07405 59 API calls 101062->101067 101063 df048e 101066 e066f4 Mailbox 59 API calls 101066->101065 101067->101049 101067->101052 101067->101055 101067->101056 101067->101060 101067->101061 101067->101062 101067->101065 101068 df0e00 101067->101068 101070 dd2f80 67 API calls __cinit 101067->101070 101072 dba6ba 101067->101072 101237 dbca20 341 API calls 2 library calls 101067->101237 101238 dbba60 60 API calls Mailbox 101067->101238 101252 e1a0b5 89 API calls 4 library calls 101068->101252 101070->101067 101071 e2bf80 341 API calls 101071->101083 101251 e1a0b5 89 API calls 4 library calls 101072->101251 101074 dbb416 101242 dbf803 341 API calls 101074->101242 101076 dba000 341 API calls 101076->101083 101077 df0c94 101249 db9df0 59 API calls Mailbox 101077->101249 101079 df0ca2 101250 e1a0b5 89 API calls 4 library calls 101079->101250 101081 df0c86 101081->101065 101081->101066 101082 dbb37c 101240 db9e9c 60 API calls Mailbox 101082->101240 101083->101044 101083->101057 101083->101065 101083->101067 101083->101071 101083->101074 101083->101076 101083->101077 101083->101079 101083->101082 101088 dbb685 101083->101088 101091 dbade2 Mailbox 101083->101091 101196 e2c5f4 101083->101196 101228 e17be0 101083->101228 101234 e066f4 101083->101234 101244 e07405 59 API calls 101083->101244 101245 e2c4a7 85 API calls 2 library calls 101083->101245 101085 dbb38d 101241 db9e9c 60 API calls Mailbox 101085->101241 101248 e1a0b5 89 API calls 4 library calls 101088->101248 101091->101065 101091->101081 101091->101088 101092 df00e0 VariantClear 101091->101092 101097 e2e237 101091->101097 101100 dc2123 101091->101100 101140 e1d2e6 101091->101140 101187 e2474d 101091->101187 101239 db9df0 59 API calls Mailbox 101091->101239 101246 e07405 59 API calls 101091->101246 101092->101091 101098 e2cdf1 130 API calls 101097->101098 101099 e2e247 101098->101099 101099->101091 101254 db9bf8 101100->101254 101103 dd0ff6 Mailbox 59 API calls 101105 dc2154 101103->101105 101106 dc2164 101105->101106 101282 db5906 60 API calls Mailbox 101105->101282 101110 db9997 84 API calls 101106->101110 101107 df69af 101108 dc2189 101107->101108 101286 e1f7df 59 API calls 101107->101286 101116 dc2196 101108->101116 101287 db9c9c 59 API calls 101108->101287 101112 dc2172 101110->101112 101114 db5956 67 API calls 101112->101114 101113 df69f7 101115 df69ff 101113->101115 101113->101116 101117 dc2181 101114->101117 101288 db9c9c 59 API calls 101115->101288 101119 db5e3f 2 API calls 101116->101119 101117->101107 101117->101108 101285 db5a1a CloseHandle 101117->101285 101121 dc219d 101119->101121 101122 dc21b7 101121->101122 101123 df6a11 101121->101123 101124 db77c7 59 API calls 101122->101124 101125 dd0ff6 Mailbox 59 API calls 101123->101125 101126 dc21bf 101124->101126 101127 df6a17 101125->101127 101267 db56d2 101126->101267 101129 df6a2b 101127->101129 101289 db59b0 ReadFile SetFilePointerEx 101127->101289 101134 df6a2f _memmove 101129->101134 101290 e1794e 59 API calls 2 library calls 101129->101290 101131 dc21ce 101131->101134 101283 db9b9c 59 API calls Mailbox 101131->101283 101135 dc21e2 Mailbox 101136 dc221c 101135->101136 101137 db5dcf CloseHandle 101135->101137 101136->101091 101138 dc2210 101137->101138 101138->101136 101284 db5a1a CloseHandle 101138->101284 101141 e1d305 101140->101141 101142 e1d310 101140->101142 101294 db9c9c 59 API calls 101141->101294 101144 e1d3ea Mailbox 101142->101144 101146 db77c7 59 API calls 101142->101146 101145 dd0ff6 Mailbox 59 API calls 101144->101145 101184 e1d3f3 Mailbox 101144->101184 101147 e1d433 101145->101147 101148 e1d334 101146->101148 101149 e1d43f 101147->101149 101297 db5906 60 API calls Mailbox 101147->101297 101150 db77c7 59 API calls 101148->101150 101152 db9997 84 API calls 101149->101152 101153 e1d33d 101150->101153 101154 e1d457 101152->101154 101155 db9997 84 API calls 101153->101155 101156 db5956 67 API calls 101154->101156 101157 e1d349 101155->101157 101158 e1d466 101156->101158 101159 db46f9 59 API calls 101157->101159 101160 e1d46a GetLastError 101158->101160 101161 e1d49e 101158->101161 101162 e1d35e 101159->101162 101163 e1d483 101160->101163 101165 e1d500 101161->101165 101166 e1d4c9 101161->101166 101164 db7c8e 59 API calls 101162->101164 101163->101184 101298 db5a1a CloseHandle 101163->101298 101167 e1d391 101164->101167 101170 dd0ff6 Mailbox 59 API calls 101165->101170 101168 dd0ff6 Mailbox 59 API calls 101166->101168 101169 e1d3e3 101167->101169 101174 e13e73 3 API calls 101167->101174 101171 e1d4ce 101168->101171 101296 db9c9c 59 API calls 101169->101296 101175 e1d505 101170->101175 101176 e1d4df 101171->101176 101179 db77c7 59 API calls 101171->101179 101177 e1d3a1 101174->101177 101178 db77c7 59 API calls 101175->101178 101175->101184 101299 e1f835 59 API calls 2 library calls 101176->101299 101177->101169 101180 e1d3a5 101177->101180 101178->101184 101179->101176 101182 db7f41 59 API calls 101180->101182 101183 e1d3b2 101182->101183 101295 e13c66 63 API calls Mailbox 101183->101295 101184->101091 101186 e1d3bb Mailbox 101186->101169 101188 db9997 84 API calls 101187->101188 101189 e24787 101188->101189 101190 db63a0 94 API calls 101189->101190 101191 e24797 101190->101191 101192 e247bc 101191->101192 101193 dba000 341 API calls 101191->101193 101194 db9bf8 59 API calls 101192->101194 101195 e247c0 101192->101195 101193->101192 101194->101195 101195->101091 101197 db77c7 59 API calls 101196->101197 101198 e2c608 101197->101198 101199 db77c7 59 API calls 101198->101199 101200 e2c610 101199->101200 101201 db77c7 59 API calls 101200->101201 101202 e2c618 101201->101202 101203 db9997 84 API calls 101202->101203 101216 e2c626 101203->101216 101204 db7d2c 59 API calls 101204->101216 101205 e2c80f 101206 e2c83c Mailbox 101205->101206 101301 db9b9c 59 API calls Mailbox 101205->101301 101206->101083 101208 e2c7f6 101211 db7e0b 59 API calls 101208->101211 101209 e2c811 101212 db7e0b 59 API calls 101209->101212 101210 db81a7 59 API calls 101210->101216 101213 e2c803 101211->101213 101215 e2c820 101212->101215 101218 db7c8e 59 API calls 101213->101218 101214 db7a84 59 API calls 101214->101216 101219 db7c8e 59 API calls 101215->101219 101216->101204 101216->101205 101216->101206 101216->101208 101216->101209 101216->101210 101216->101214 101217 db7faf 59 API calls 101216->101217 101220 db7faf 59 API calls 101216->101220 101225 db7e0b 59 API calls 101216->101225 101226 db9997 84 API calls 101216->101226 101227 db7c8e 59 API calls 101216->101227 101221 e2c6bd CharUpperBuffW 101217->101221 101218->101205 101219->101205 101222 e2c77d CharUpperBuffW 101220->101222 101300 db859a 68 API calls 101221->101300 101224 dbc707 69 API calls 101222->101224 101224->101216 101225->101216 101226->101216 101227->101216 101229 e17bec 101228->101229 101230 dd0ff6 Mailbox 59 API calls 101229->101230 101231 e17bfa 101230->101231 101232 e17c08 101231->101232 101233 db77c7 59 API calls 101231->101233 101232->101083 101233->101232 101302 e06636 101234->101302 101236 e06702 101236->101083 101237->101067 101238->101067 101239->101091 101240->101085 101241->101074 101242->101088 101243->101083 101244->101083 101245->101083 101246->101091 101247->101063 101248->101081 101249->101081 101250->101081 101251->101065 101252->101056 101253->101065 101255 defbff 101254->101255 101256 db9c08 101254->101256 101258 db7d2c 59 API calls 101255->101258 101260 defc10 101255->101260 101259 dd0ff6 Mailbox 59 API calls 101256->101259 101257 db7eec 59 API calls 101262 defc1a 101257->101262 101258->101260 101261 db9c1b 101259->101261 101260->101257 101261->101262 101263 db9c26 101261->101263 101264 db9c34 101262->101264 101265 db77c7 59 API calls 101262->101265 101263->101264 101266 db7f41 59 API calls 101263->101266 101264->101103 101264->101107 101265->101264 101266->101264 101268 db56dd 101267->101268 101269 db5702 101267->101269 101268->101269 101271 db56ec 101268->101271 101270 db7eec 59 API calls 101269->101270 101277 e1349a 101270->101277 101273 db5c18 59 API calls 101271->101273 101276 e135ba 101273->101276 101274 e134c9 101274->101131 101278 db5632 61 API calls 101276->101278 101277->101274 101291 e13436 ReadFile SetFilePointerEx 101277->101291 101292 db7a84 59 API calls 2 library calls 101277->101292 101279 e135c8 101278->101279 101281 e135d8 Mailbox 101279->101281 101293 db793a 61 API calls Mailbox 101279->101293 101281->101131 101282->101106 101283->101135 101284->101136 101285->101107 101286->101107 101287->101113 101288->101121 101289->101129 101290->101134 101291->101277 101292->101277 101293->101281 101294->101142 101295->101186 101296->101144 101297->101149 101298->101184 101299->101184 101300->101216 101301->101206 101303 e0665e 101302->101303 101304 e06641 101302->101304 101303->101236 101304->101303 101306 e06621 59 API calls Mailbox 101304->101306 101306->101304 101307 df0226 101313 dbade2 Mailbox 101307->101313 101308 dbb6c1 101323 e1a0b5 89 API calls 4 library calls 101308->101323 101310 df0c86 101311 e066f4 Mailbox 59 API calls 101310->101311 101312 df0c8f 101311->101312 101313->101308 101313->101310 101313->101312 101315 df00e0 VariantClear 101313->101315 101317 e2e237 130 API calls 101313->101317 101318 e1d2e6 101 API calls 101313->101318 101319 dc2123 95 API calls 101313->101319 101320 e2474d 341 API calls 101313->101320 101321 db9df0 59 API calls Mailbox 101313->101321 101322 e07405 59 API calls 101313->101322 101315->101313 101317->101313 101318->101313 101319->101313 101320->101313 101321->101313 101322->101313 101323->101310 101324 db1066 101329 dbf8cf 101324->101329 101326 db106c 101327 dd2f80 __cinit 67 API calls 101326->101327 101328 db1076 101327->101328 101330 dbf8f0 101329->101330 101362 dd0143 101330->101362 101334 dbf937 101335 db77c7 59 API calls 101334->101335 101336 dbf941 101335->101336 101337 db77c7 59 API calls 101336->101337 101338 dbf94b 101337->101338 101339 db77c7 59 API calls 101338->101339 101340 dbf955 101339->101340 101341 db77c7 59 API calls 101340->101341 101342 dbf993 101341->101342 101343 db77c7 59 API calls 101342->101343 101344 dbfa5e 101343->101344 101372 dc60e7 101344->101372 101348 dbfa90 101349 db77c7 59 API calls 101348->101349 101350 dbfa9a 101349->101350 101400 dcffde 101350->101400 101352 dbfae1 101353 dbfaf1 GetStdHandle 101352->101353 101354 dbfb3d 101353->101354 101355 df49d5 101353->101355 101356 dbfb45 OleInitialize 101354->101356 101355->101354 101357 df49de 101355->101357 101356->101326 101407 e16dda 64 API calls Mailbox 101357->101407 101359 df49e5 101408 e174a9 CreateThread 101359->101408 101361 df49f1 CloseHandle 101361->101356 101409 dd021c 101362->101409 101365 dd021c 59 API calls 101366 dd0185 101365->101366 101367 db77c7 59 API calls 101366->101367 101368 dd0191 101367->101368 101369 db7d2c 59 API calls 101368->101369 101370 dbf8f6 101369->101370 101371 dd03a2 6 API calls 101370->101371 101371->101334 101373 db77c7 59 API calls 101372->101373 101374 dc60f7 101373->101374 101375 db77c7 59 API calls 101374->101375 101376 dc60ff 101375->101376 101416 dc5bfd 101376->101416 101379 dc5bfd 59 API calls 101380 dc610f 101379->101380 101381 db77c7 59 API calls 101380->101381 101382 dc611a 101381->101382 101383 dd0ff6 Mailbox 59 API calls 101382->101383 101384 dbfa68 101383->101384 101385 dc6259 101384->101385 101386 dc6267 101385->101386 101387 db77c7 59 API calls 101386->101387 101388 dc6272 101387->101388 101389 db77c7 59 API calls 101388->101389 101390 dc627d 101389->101390 101391 db77c7 59 API calls 101390->101391 101392 dc6288 101391->101392 101393 db77c7 59 API calls 101392->101393 101394 dc6293 101393->101394 101395 dc5bfd 59 API calls 101394->101395 101396 dc629e 101395->101396 101397 dd0ff6 Mailbox 59 API calls 101396->101397 101398 dc62a5 RegisterWindowMessageW 101397->101398 101398->101348 101401 dcffee 101400->101401 101402 e05cc3 101400->101402 101403 dd0ff6 Mailbox 59 API calls 101401->101403 101419 e19d71 60 API calls 101402->101419 101406 dcfff6 101403->101406 101405 e05cce 101406->101352 101407->101359 101408->101361 101420 e1748f 65 API calls 101408->101420 101410 db77c7 59 API calls 101409->101410 101411 dd0227 101410->101411 101412 db77c7 59 API calls 101411->101412 101413 dd022f 101412->101413 101414 db77c7 59 API calls 101413->101414 101415 dd017b 101414->101415 101415->101365 101417 db77c7 59 API calls 101416->101417 101418 dc5c05 101417->101418 101418->101379 101419->101405

            Executed Functions

            Function 00DB3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DB3B7A
            • IsDebuggerPresent.KERNEL32 ref: 00DB3B8C
            • GetFullPathNameW.KERNEL32(00007FFF,?,?,00E762F8,00E762E0,?,?), ref: 00DB3BFD
              • Part of subcall function 00DB7D2C: _memmove.LIBCMT ref: 00DB7D66
              • Part of subcall function 00DC0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00DB3C26,00E762F8,?,?,?), ref: 00DC0ACE
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00DB3C81
            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00E693F0,00000010), ref: 00DED4BC
            • SetCurrentDirectoryW.KERNEL32(?,00E762F8,?,?,?), ref: 00DED4F4
            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00E65D40,00E762F8,?,?,?), ref: 00DED57A
            • ShellExecuteW.SHELL32(00000000,?,?), ref: 00DED581
              • Part of subcall function 00DB3A58: GetSysColorBrush.USER32(0000000F), ref: 00DB3A62
              • Part of subcall function 00DB3A58: LoadCursorW.USER32(00000000,00007F00), ref: 00DB3A71
              • Part of subcall function 00DB3A58: LoadIconW.USER32(00000063), ref: 00DB3A88
              • Part of subcall function 00DB3A58: LoadIconW.USER32(000000A4), ref: 00DB3A9A
              • Part of subcall function 00DB3A58: LoadIconW.USER32(000000A2), ref: 00DB3AAC
              • Part of subcall function 00DB3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00DB3AD2
              • Part of subcall function 00DB3A58: RegisterClassExW.USER32(?), ref: 00DB3B28
              • Part of subcall function 00DB39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00DB3A15
              • Part of subcall function 00DB39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00DB3A36
              • Part of subcall function 00DB39E7: ShowWindow.USER32(00000000,?,?), ref: 00DB3A4A
              • Part of subcall function 00DB39E7: ShowWindow.USER32(00000000,?,?), ref: 00DB3A53
              • Part of subcall function 00DB43DB: _memset.LIBCMT ref: 00DB4401
              • Part of subcall function 00DB43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00DB44A6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
            • String ID: This is a third-party compiled AutoIt script.$runas$%
            • API String ID: 529118366-3343222573
            • Opcode ID: 2f8b2ced53ac6a52746799d6b5d899978609072f9bc96ab17923bf47190fe568
            • Instruction ID: 1b436f2b1a78525b3cdfed594c41b4dabb732addb73c79f888fcaefba5b3f872
            • Opcode Fuzzy Hash: 2f8b2ced53ac6a52746799d6b5d899978609072f9bc96ab17923bf47190fe568
            • Instruction Fuzzy Hash: DA51F430904289EFCB11EBB1DC0AEED7F79EB44304B044065F45AB21B2CE709A49DB31
            Function 00DB4AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1037 db4afe-db4b5e call db77c7 GetVersionExW call db7d2c 1042 db4c69-db4c6b 1037->1042 1043 db4b64 1037->1043 1044 dedb90-dedb9c 1042->1044 1045 db4b67-db4b6c 1043->1045 1046 dedb9d-dedba1 1044->1046 1047 db4b72 1045->1047 1048 db4c70-db4c71 1045->1048 1050 dedba4-dedbb0 1046->1050 1051 dedba3 1046->1051 1049 db4b73-db4baa call db7e8c call db7886 1047->1049 1048->1049 1059 dedc8d-dedc90 1049->1059 1060 db4bb0-db4bb1 1049->1060 1050->1046 1053 dedbb2-dedbb7 1050->1053 1051->1050 1053->1045 1055 dedbbd-dedbc4 1053->1055 1055->1044 1057 dedbc6 1055->1057 1061 dedbcb-dedbce 1057->1061 1062 dedca9-dedcad 1059->1062 1063 dedc92 1059->1063 1060->1061 1064 db4bb7-db4bc2 1060->1064 1065 db4bf1-db4c08 GetCurrentProcess IsWow64Process 1061->1065 1066 dedbd4-dedbf2 1061->1066 1071 dedcaf-dedcb8 1062->1071 1072 dedc98-dedca1 1062->1072 1067 dedc95 1063->1067 1068 db4bc8-db4bca 1064->1068 1069 dedc13-dedc19 1064->1069 1073 db4c0a 1065->1073 1074 db4c0d-db4c1e 1065->1074 1066->1065 1070 dedbf8-dedbfe 1066->1070 1067->1072 1075 dedc2e-dedc3a 1068->1075 1076 db4bd0-db4bd3 1068->1076 1079 dedc1b-dedc1e 1069->1079 1080 dedc23-dedc29 1069->1080 1077 dedc08-dedc0e 1070->1077 1078 dedc00-dedc03 1070->1078 1071->1067 1081 dedcba-dedcbd 1071->1081 1072->1062 1073->1074 1082 db4c89-db4c93 GetSystemInfo 1074->1082 1083 db4c20-db4c30 call db4c95 1074->1083 1087 dedc3c-dedc3f 1075->1087 1088 dedc44-dedc4a 1075->1088 1084 db4bd9-db4be8 1076->1084 1085 dedc5a-dedc5d 1076->1085 1077->1065 1078->1065 1079->1065 1080->1065 1081->1072 1086 db4c56-db4c66 1082->1086 1096 db4c7d-db4c87 GetSystemInfo 1083->1096 1097 db4c32-db4c3f call db4c95 1083->1097 1090 dedc4f-dedc55 1084->1090 1091 db4bee 1084->1091 1085->1065 1093 dedc63-dedc78 1085->1093 1087->1065 1088->1065 1090->1065 1091->1065 1094 dedc7a-dedc7d 1093->1094 1095 dedc82-dedc88 1093->1095 1094->1065 1095->1065 1098 db4c47-db4c4b 1096->1098 1102 db4c41-db4c45 GetNativeSystemInfo 1097->1102 1103 db4c76-db4c7b 1097->1103 1098->1086 1101 db4c4d-db4c50 FreeLibrary 1098->1101 1101->1086 1102->1098 1103->1102
            APIs
            • GetVersionExW.KERNEL32(?), ref: 00DB4B2B
              • Part of subcall function 00DB7D2C: _memmove.LIBCMT ref: 00DB7D66
            • GetCurrentProcess.KERNEL32(?,00E3FAEC,00000000,00000000,?), ref: 00DB4BF8
            • IsWow64Process.KERNEL32(00000000), ref: 00DB4BFF
            • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00DB4C45
            • FreeLibrary.KERNEL32(00000000), ref: 00DB4C50
            • GetSystemInfo.KERNEL32(00000000), ref: 00DB4C81
            • GetSystemInfo.KERNEL32(00000000), ref: 00DB4C8D
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
            • String ID:
            • API String ID: 1986165174-0
            • Opcode ID: 5e2090cdf55f15fdd80ef553b86c1f5d8eee42badab5c29ec9e5324a64e3a392
            • Instruction ID: f84c1c09cbbefdfd8ff57cb602b648ac94651beea2ab1f02bacd52aa421027e9
            • Opcode Fuzzy Hash: 5e2090cdf55f15fdd80ef553b86c1f5d8eee42badab5c29ec9e5324a64e3a392
            • Instruction Fuzzy Hash: AA91E33194ABC4DEC731DB6984511EABFF5AF2A300B58499ED0CB93A42D630E908C779
            Function 00DB4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1104 db4fe9-db5001 CreateStreamOnHGlobal 1105 db5003-db501a FindResourceExW 1104->1105 1106 db5021-db5026 1104->1106 1107 dedd5c-dedd6b LoadResource 1105->1107 1108 db5020 1105->1108 1107->1108 1109 dedd71-dedd7f SizeofResource 1107->1109 1108->1106 1109->1108 1110 dedd85-dedd90 LockResource 1109->1110 1110->1108 1111 dedd96-deddb4 1110->1111 1111->1108
            APIs
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00DB4EEE,?,?,00000000,00000000), ref: 00DB4FF9
            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00DB4EEE,?,?,00000000,00000000), ref: 00DB5010
            • LoadResource.KERNEL32(?,00000000,?,?,00DB4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00DB4F8F), ref: 00DEDD60
            • SizeofResource.KERNEL32(?,00000000,?,?,00DB4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00DB4F8F), ref: 00DEDD75
            • LockResource.KERNEL32(00DB4EEE,?,?,00DB4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00DB4F8F,00000000), ref: 00DEDD88
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
            • String ID: SCRIPT
            • API String ID: 3051347437-3967369404
            • Opcode ID: 1fb73d7976676c691e35a89d949f589e1ad74f26b96bcbda41e17f2861921437
            • Instruction ID: c81b2252896e167bb2af0602bbb1c583672aebecaf0b04d26ebaaeb062dd95b0
            • Opcode Fuzzy Hash: 1fb73d7976676c691e35a89d949f589e1ad74f26b96bcbda41e17f2861921437
            • Instruction Fuzzy Hash: 3F115A75600704EFD7219B66EC58F677BB9EBC9B12F244168F40696260DB62E8048670
            Function 00DBE800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID:
            • String ID: Dt$Dt$Dt$Dt$Variable must be of type 'Object'.
            • API String ID: 0-3952547859
            • Opcode ID: f9145c10a2645941609057480ef8dd9b7c78ca541dfd972fedc2546b26db0096
            • Instruction ID: 6908a6e06ae32d47e653ba9b8fae368586648168029501bc1c0e7d236bcc67b4
            • Opcode Fuzzy Hash: f9145c10a2645941609057480ef8dd9b7c78ca541dfd972fedc2546b26db0096
            • Instruction Fuzzy Hash: 90A26B74A04205CFCB24CF58C880AEEB7B1FF48310F698469E956AB351D775ED86CBA1
            Function 00E14696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
            Download Yara Rule
            APIs
            • GetFileAttributesW.KERNELBASE(?,00DEE7C1), ref: 00E146A6
            • FindFirstFileW.KERNELBASE(?,?), ref: 00E146B7
            • FindClose.KERNEL32(00000000), ref: 00E146C7
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: FileFind$AttributesCloseFirst
            • String ID:
            • API String ID: 48322524-0
            • Opcode ID: ee7fd6085e065652f4699451613750255849e271ead3be3450bad15eab084e58
            • Instruction ID: c64931f03294409d847ec8d7c23f084cfad86a3b8164b649866679a4ca7d0275
            • Opcode Fuzzy Hash: ee7fd6085e065652f4699451613750255849e271ead3be3450bad15eab084e58
            • Instruction Fuzzy Hash: B3E0D8728104059F42106738EC4D8EB7B5C9F06339F100755F875E21F0E7B05D948595
            Function 00DC0B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
            Download Yara Rule
            APIs
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DC0BBB
            • timeGetTime.WINMM ref: 00DC0E76
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DC0FB3
            • TranslateMessage.USER32(?), ref: 00DC0FC7
            • DispatchMessageW.USER32(?), ref: 00DC0FD5
            • Sleep.KERNEL32(0000000A), ref: 00DC0FDF
            • LockWindowUpdate.USER32(00000000,?,?), ref: 00DC105A
            • DestroyWindow.USER32 ref: 00DC1066
            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DC1080
            • Sleep.KERNEL32(0000000A,?,?), ref: 00DF52AD
            • TranslateMessage.USER32(?), ref: 00DF608A
            • DispatchMessageW.USER32(?), ref: 00DF6098
            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DF60AC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
            • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr$pr$pr$pr
            • API String ID: 4003667617-1825247661
            • Opcode ID: cf5f71823d535fdb21d7c0c47ba1e1312aec20ef45baae554c7cb567129a923a
            • Instruction ID: bfd97dd3ca97b9a52e9e0d70fca1e25d7a2f20d1f4c7ad53b6f598a8dc30f388
            • Opcode Fuzzy Hash: cf5f71823d535fdb21d7c0c47ba1e1312aec20ef45baae554c7cb567129a923a
            • Instruction Fuzzy Hash: 17B2C370608746DFD724DF24D844FAABBE4FF84304F18851DE69A97291DB71E884CBA2
            Function 00E193DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00E191E9: __time64.LIBCMT ref: 00E191F3
              • Part of subcall function 00DB5045: _fseek.LIBCMT ref: 00DB505D
            • __wsplitpath.LIBCMT ref: 00E194BE
              • Part of subcall function 00DD432E: __wsplitpath_helper.LIBCMT ref: 00DD436E
            • _wcscpy.LIBCMT ref: 00E194D1
            • _wcscat.LIBCMT ref: 00E194E4
            • __wsplitpath.LIBCMT ref: 00E19509
            • _wcscat.LIBCMT ref: 00E1951F
            • _wcscat.LIBCMT ref: 00E19532
              • Part of subcall function 00E1922F: _memmove.LIBCMT ref: 00E19268
              • Part of subcall function 00E1922F: _memmove.LIBCMT ref: 00E19277
            • _wcscmp.LIBCMT ref: 00E19479
              • Part of subcall function 00E199BE: _wcscmp.LIBCMT ref: 00E19AAE
              • Part of subcall function 00E199BE: _wcscmp.LIBCMT ref: 00E19AC1
            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E196DC
            • _wcsncpy.LIBCMT ref: 00E1974F
            • DeleteFileW.KERNEL32(?,?), ref: 00E19785
            • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00E1979B
            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E197AC
            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E197BE
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
            • String ID:
            • API String ID: 1500180987-0
            • Opcode ID: c556ddb1e434239fbe7db094be795d392efc5262ea9da969b73971df12de630f
            • Instruction ID: 76462d4da7bca844520da420fa5ec13efe35a2ae8d9678db6658f39cc88f3390
            • Opcode Fuzzy Hash: c556ddb1e434239fbe7db094be795d392efc5262ea9da969b73971df12de630f
            • Instruction Fuzzy Hash: ABC11BB1D00219AADF11DFA5DC95EDEBBBDEF45310F0040AAF609F6251DB309A848F65
            Function 00DB3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00DB3074
            • RegisterClassExW.USER32(00000030), ref: 00DB309E
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DB30AF
            • InitCommonControlsEx.COMCTL32(?), ref: 00DB30CC
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DB30DC
            • LoadIconW.USER32(000000A9), ref: 00DB30F2
            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DB3101
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
            • API String ID: 2914291525-1005189915
            • Opcode ID: 5b8acc27058409058f5c586a0c1dcba0ca8988cd90462ab49a999379c236e816
            • Instruction ID: 3003c7cbd14996b3cb22812ccf2521b150b24ba98967876bea3a4bd469279e47
            • Opcode Fuzzy Hash: 5b8acc27058409058f5c586a0c1dcba0ca8988cd90462ab49a999379c236e816
            • Instruction Fuzzy Hash: A73147B1C14309AFEB00CFA5E889AD9BFF0FB09314F10412AE544B62A0E3B50589CF91
            Function 00DB3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00DB3074
            • RegisterClassExW.USER32(00000030), ref: 00DB309E
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DB30AF
            • InitCommonControlsEx.COMCTL32(?), ref: 00DB30CC
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DB30DC
            • LoadIconW.USER32(000000A9), ref: 00DB30F2
            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DB3101
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
            • API String ID: 2914291525-1005189915
            • Opcode ID: 31d92c2f02f1b9d00c181ba3d83cb51bb4794ed688c8b859ea85150b29ceaabe
            • Instruction ID: 99db6b21dfafe2eaff1431b28791405dab201d0c821b253ae0ecfd1eddef9ea4
            • Opcode Fuzzy Hash: 31d92c2f02f1b9d00c181ba3d83cb51bb4794ed688c8b859ea85150b29ceaabe
            • Instruction Fuzzy Hash: D321C5B1D10218AFEB00DFA6E989B9DBFF4FB08704F00412AF515B62A1D7B14588CF95
            Function 00DB71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00DB4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00E762F8,?,00DB37C0,?), ref: 00DB4882
              • Part of subcall function 00DD074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00DB72C5), ref: 00DD0771
            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00DB7308
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00DEECF1
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00DEED32
            • RegCloseKey.ADVAPI32(?), ref: 00DEED70
            • _wcscat.LIBCMT ref: 00DEEDC9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
            • API String ID: 2673923337-2727554177
            • Opcode ID: 5ef900162707f1d5615693bb8d7e75a9117e632fe94880bd875401be117e1585
            • Instruction ID: 968f529d598b41ccc82723e133ea1e2694313d4ac004cbb3efbb0444bab21b4c
            • Opcode Fuzzy Hash: 5ef900162707f1d5615693bb8d7e75a9117e632fe94880bd875401be117e1585
            • Instruction Fuzzy Hash: 8B7152B14083419EC314EF66EC859ABBBE8FF94750F44492EF499A3271DB709988CB71
            Function 00DB3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 760 db3633-db3681 762 db3683-db3686 760->762 763 db36e1-db36e3 760->763 764 db3688-db368f 762->764 765 db36e7 762->765 763->762 766 db36e5 763->766 767 db375d-db3765 PostQuitMessage 764->767 768 db3695-db369a 764->768 770 ded31c-ded34a call dc11d0 call dc11f3 765->770 771 db36ed-db36f0 765->771 769 db36ca-db36d2 DefWindowProcW 766->769 776 db3711-db3713 767->776 772 ded38f-ded3a3 call e12a16 768->772 773 db36a0-db36a2 768->773 775 db36d8-db36de 769->775 806 ded34f-ded356 770->806 777 db36f2-db36f3 771->777 778 db3715-db373c SetTimer RegisterWindowMessageW 771->778 772->776 798 ded3a9 772->798 779 db36a8-db36ad 773->779 780 db3767-db3776 call db4531 773->780 776->775 784 ded2bf-ded2c2 777->784 785 db36f9-db370c KillTimer call db44cb call db3114 777->785 778->776 781 db373e-db3749 CreatePopupMenu 778->781 786 db36b3-db36b8 779->786 787 ded374-ded37b 779->787 780->776 781->776 791 ded2f8-ded317 MoveWindow 784->791 792 ded2c4-ded2c6 784->792 785->776 796 db374b-db375b call db45df 786->796 797 db36be-db36c4 786->797 787->769 795 ded381-ded38a call e0817e 787->795 791->776 801 ded2c8-ded2cb 792->801 802 ded2e7-ded2f3 SetFocus 792->802 795->769 796->776 797->769 797->806 798->769 801->797 807 ded2d1-ded2e2 call dc11d0 801->807 802->776 806->769 811 ded35c-ded36f call db44cb call db43db 806->811 807->776 811->769
            APIs
            • DefWindowProcW.USER32(?,?,?,?), ref: 00DB36D2
            • KillTimer.USER32(?,00000001), ref: 00DB36FC
            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DB371F
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DB372A
            • CreatePopupMenu.USER32 ref: 00DB373E
            • PostQuitMessage.USER32(00000000), ref: 00DB375F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
            • String ID: TaskbarCreated$%
            • API String ID: 129472671-3835587964
            • Opcode ID: ceff00b7a3cab395d383a781cd6e973fa6f57d5c9cbf70755ed3875f167e1329
            • Instruction ID: 23a40ac0afd9e2696c55b1a84c0d0cf74bd337e5fb44cbe2c4141b6a04ab9d43
            • Opcode Fuzzy Hash: ceff00b7a3cab395d383a781cd6e973fa6f57d5c9cbf70755ed3875f167e1329
            • Instruction Fuzzy Hash: 894119B1210A45FFDB14AF69DC0ABF93B55EB40300F180129F947E62B2DE64DE94A772
            Function 00DB3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00DB3A62
            • LoadCursorW.USER32(00000000,00007F00), ref: 00DB3A71
            • LoadIconW.USER32(00000063), ref: 00DB3A88
            • LoadIconW.USER32(000000A4), ref: 00DB3A9A
            • LoadIconW.USER32(000000A2), ref: 00DB3AAC
            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00DB3AD2
            • RegisterClassExW.USER32(?), ref: 00DB3B28
              • Part of subcall function 00DB3041: GetSysColorBrush.USER32(0000000F), ref: 00DB3074
              • Part of subcall function 00DB3041: RegisterClassExW.USER32(00000030), ref: 00DB309E
              • Part of subcall function 00DB3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DB30AF
              • Part of subcall function 00DB3041: InitCommonControlsEx.COMCTL32(?), ref: 00DB30CC
              • Part of subcall function 00DB3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DB30DC
              • Part of subcall function 00DB3041: LoadIconW.USER32(000000A9), ref: 00DB30F2
              • Part of subcall function 00DB3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DB3101
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
            • String ID: #$0$AutoIt v3
            • API String ID: 423443420-4155596026
            • Opcode ID: b402b9e556ba057402f748912ad4585798fc993aa6be2e9710a3ca4bd68c9b62
            • Instruction ID: c6243855201f351b98f38335b27bb2cea4ec5ba516cb443b81e52e1d583fd985
            • Opcode Fuzzy Hash: b402b9e556ba057402f748912ad4585798fc993aa6be2e9710a3ca4bd68c9b62
            • Instruction Fuzzy Hash: F6213C70D10348AFDB50DFA6EC09B9D7FB5EB08714F00012AF608BA2B1D7B655989F94
            Function 00DB3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
            Download Yara Rule

            Control-flow Graph

            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b
            • API String ID: 1825951767-3834736419
            • Opcode ID: 9fc6ce983d731fb98b348b1c1790372020ad50ffc68e86eacd6fda468fc5eebf
            • Instruction ID: 4962bcc28267939a7ca9efcc65033a3bcbe27e9b6d1cff899ed26df453cac7cb
            • Opcode Fuzzy Hash: 9fc6ce983d731fb98b348b1c1790372020ad50ffc68e86eacd6fda468fc5eebf
            • Instruction Fuzzy Hash: EDA12871910269DACB04EFA4CC96AEEB778FF54300F44052AE416B6192EF75AA09DB70
            Function 00DBF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00DD03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DD03D3
              • Part of subcall function 00DD03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00DD03DB
              • Part of subcall function 00DD03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DD03E6
              • Part of subcall function 00DD03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DD03F1
              • Part of subcall function 00DD03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00DD03F9
              • Part of subcall function 00DD03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00DD0401
              • Part of subcall function 00DC6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00DBFA90), ref: 00DC62B4
            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00DBFB2D
            • OleInitialize.OLE32(00000000), ref: 00DBFBAA
            • CloseHandle.KERNEL32(00000000), ref: 00DF49F2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
            • String ID: <g$\d$%$c
            • API String ID: 1986988660-619945097
            • Opcode ID: 3631f911e61f758b164fee8876a6764a0561e31fe537319445b6db910caeb007
            • Instruction ID: c0ca0d3ebaa98cb6c63816fe9ea41036308bc6bb29992169ebdc19eb84ba661c
            • Opcode Fuzzy Hash: 3631f911e61f758b164fee8876a6764a0561e31fe537319445b6db910caeb007
            • Instruction Fuzzy Hash: BE8187B0900A419FC798DF2BA9566557BE5FB8830C710956AD02DFB262FB31848DCF61
            Function 03042600 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 983 3042600-30426ae call 3040000 986 30426b5-30426db call 3043510 CreateFileW 983->986 989 30426e2-30426f2 986->989 990 30426dd 986->990 998 30426f4 989->998 999 30426f9-3042713 VirtualAlloc 989->999 991 304282d-3042831 990->991 992 3042873-3042876 991->992 993 3042833-3042837 991->993 995 3042879-3042880 992->995 996 3042843-3042847 993->996 997 3042839-304283c 993->997 1000 30428d5-30428ea 995->1000 1001 3042882-304288d 995->1001 1002 3042857-304285b 996->1002 1003 3042849-3042853 996->1003 997->996 998->991 1004 3042715 999->1004 1005 304271a-3042731 ReadFile 999->1005 1010 30428ec-30428f7 VirtualFree 1000->1010 1011 30428fa-3042902 1000->1011 1008 3042891-304289d 1001->1008 1009 304288f 1001->1009 1012 304285d-3042867 1002->1012 1013 304286b 1002->1013 1003->1002 1004->991 1006 3042733 1005->1006 1007 3042738-3042778 VirtualAlloc 1005->1007 1006->991 1014 304277f-304279a call 3043760 1007->1014 1015 304277a 1007->1015 1016 30428b1-30428bd 1008->1016 1017 304289f-30428af 1008->1017 1009->1000 1010->1011 1012->1013 1013->992 1023 30427a5-30427af 1014->1023 1015->991 1020 30428bf-30428c8 1016->1020 1021 30428ca-30428d0 1016->1021 1019 30428d3 1017->1019 1019->995 1020->1019 1021->1019 1024 30427b1-30427e0 call 3043760 1023->1024 1025 30427e2-30427f6 call 3043570 1023->1025 1024->1023 1031 30427f8 1025->1031 1032 30427fa-30427fe 1025->1032 1031->991 1033 3042800-3042804 FindCloseChangeNotification 1032->1033 1034 304280a-304280e 1032->1034 1033->1034 1035 3042810-304281b VirtualFree 1034->1035 1036 304281e-3042827 1034->1036 1035->1036 1036->986 1036->991
            APIs
            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 030426D1
            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 030428F7
            Memory Dump Source
            • Source File: 00000000.00000002.2103783677.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3040000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CreateFileFreeVirtual
            • String ID:
            • API String ID: 204039940-0
            • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
            • Instruction ID: 1166a3c2daa89fcee9e58d6edea108a859aa8897b27930040ca95fe01f8d20c2
            • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
            • Instruction Fuzzy Hash: 10A1FDB4E02209EBDB14CFA4C954BEEBBB9FF48304F2485A9E501BB280D7759A45CF54
            Function 00DB39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1114 db39e7-db3a57 CreateWindowExW * 2 ShowWindow * 2
            APIs
            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00DB3A15
            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00DB3A36
            • ShowWindow.USER32(00000000,?,?), ref: 00DB3A4A
            • ShowWindow.USER32(00000000,?,?), ref: 00DB3A53
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Window$CreateShow
            • String ID: AutoIt v3$edit
            • API String ID: 1584632944-3779509399
            • Opcode ID: 65b6d301e65b13920e8736d1c97464353987e62939bcf3aba01968325b802360
            • Instruction ID: bdb603bf2cfd6ee0955c37c3ab3f70ff9295445d1f2b0c5c4663ea0b3a9d1b64
            • Opcode Fuzzy Hash: 65b6d301e65b13920e8736d1c97464353987e62939bcf3aba01968325b802360
            • Instruction Fuzzy Hash: 1DF03A70A002D47EEA7097236C0DE272E7DD7C6F54F00002AFA08B6271C6A50884DAB0
            Function 030423B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1115 30423b0-3042500 call 3040000 call 30422a0 CreateFileW 1122 3042507-3042517 1115->1122 1123 3042502 1115->1123 1126 304251e-3042538 VirtualAlloc 1122->1126 1127 3042519 1122->1127 1124 30425b7-30425bc 1123->1124 1128 304253c-3042553 ReadFile 1126->1128 1129 304253a 1126->1129 1127->1124 1130 3042555 1128->1130 1131 3042557-3042591 call 30422e0 call 30412a0 1128->1131 1129->1124 1130->1124 1136 3042593-30425a8 call 3042330 1131->1136 1137 30425ad-30425b5 ExitProcess 1131->1137 1136->1137 1137->1124
            APIs
              • Part of subcall function 030422A0: Sleep.KERNELBASE(000001F4), ref: 030422B1
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 030424F6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103783677.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3040000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CreateFileSleep
            • String ID: OLC0S3YGUZ6OPT
            • API String ID: 2694422964-1454880221
            • Opcode ID: c54f2b8c7de979a0b91e8ec36cab0d8863dcd02fdf0132ad507d3107ab6cace6
            • Instruction ID: 962dccfc5ca5dab0e4f79c3690ddefea37e3b5b5880f85b94e6603b25b0d5e1f
            • Opcode Fuzzy Hash: c54f2b8c7de979a0b91e8ec36cab0d8863dcd02fdf0132ad507d3107ab6cace6
            • Instruction Fuzzy Hash: E251A470E15248EBEF10DBB4C854BEEBBB9AF54300F0045A8E608BB2C0D7B91B45CB65
            Function 00DB410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1139 db410d-db4123 1140 db4129-db413e call db7b76 1139->1140 1141 db4200-db4204 1139->1141 1144 ded5dd-ded5ec LoadStringW 1140->1144 1145 db4144-db4164 call db7d2c 1140->1145 1148 ded5f7-ded60f call db7c8e call db7143 1144->1148 1145->1148 1149 db416a-db416e 1145->1149 1158 db417e-db41fb call dd3020 call db463e call dd2ffc Shell_NotifyIconW call db5a64 1148->1158 1160 ded615-ded633 call db7e0b call db7143 call db7e0b 1148->1160 1151 db4205-db420e call db81a7 1149->1151 1152 db4174-db4179 call db7c8e 1149->1152 1151->1158 1152->1158 1158->1141 1160->1158
            APIs
            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00DED5EC
              • Part of subcall function 00DB7D2C: _memmove.LIBCMT ref: 00DB7D66
            • _memset.LIBCMT ref: 00DB418D
            • _wcscpy.LIBCMT ref: 00DB41E1
            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DB41F1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
            • String ID: Line:
            • API String ID: 3942752672-1585850449
            • Opcode ID: f1bbca41e40dd5117867ef1a3de954221aeb11988fe8d689e0282b1614aaeb85
            • Instruction ID: 2f7f48aa9a584f415cf5c6c0339b7a954ffff522b0018dec8f43e1dc07fe4ad7
            • Opcode Fuzzy Hash: f1bbca41e40dd5117867ef1a3de954221aeb11988fe8d689e0282b1614aaeb85
            • Instruction Fuzzy Hash: 4331B071408345EFD761EB64DC46FDB77E8AF54304F10451EF19AA21A2EB70A688CBB2
            Function 00DD564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
            • String ID:
            • API String ID: 1559183368-0
            • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
            • Instruction ID: cd0144ae160e79300af837d5d32537b6066c3f4fa2133059e03f7f2795d49531
            • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
            • Instruction Fuzzy Hash: 52519234A00B05EBDB249FA9E88066E77A1EF40320F38876BE825963D8D770DD559B70
            Function 00DB69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00E762F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DB4F6F
            • _free.LIBCMT ref: 00DEE68C
            • _free.LIBCMT ref: 00DEE6D3
              • Part of subcall function 00DB6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00DB6D0D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _free$CurrentDirectoryLibraryLoad
            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
            • API String ID: 2861923089-1757145024
            • Opcode ID: 9c90400caa4765588a054730d8f296447b0c3238c4518630c92046cb124d222e
            • Instruction ID: cd1c4a7f7d395b38b86af3e3d75d6441d328cfa10d05c16a53b6cb31595b7305
            • Opcode Fuzzy Hash: 9c90400caa4765588a054730d8f296447b0c3238c4518630c92046cb124d222e
            • Instruction Fuzzy Hash: 03914871910259EFCF14EFA5C8919EDBBB4FF18314F14446AE816AB2A1EB30E945CB70
            Function 00DB35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00DB35A1,SwapMouseButtons,00000004,?), ref: 00DB35D4
            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00DB35A1,SwapMouseButtons,00000004,?,?,?,?,00DB2754), ref: 00DB35F5
            • RegCloseKey.KERNELBASE(00000000,?,?,00DB35A1,SwapMouseButtons,00000004,?,?,?,?,00DB2754), ref: 00DB3617
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CloseOpenQueryValue
            • String ID: Control Panel\Mouse
            • API String ID: 3677997916-824357125
            • Opcode ID: 849f746deca79a02ef6e8e18ffd08050142853fdac17c948a79726fe13954405
            • Instruction ID: 6dac5da2cff3517745fdec884732f368075f8cef5dd52361ce6cfd758ce2441f
            • Opcode Fuzzy Hash: 849f746deca79a02ef6e8e18ffd08050142853fdac17c948a79726fe13954405
            • Instruction Fuzzy Hash: 631148B5910208FFDB208F69DC84AEEBBB8EF04740F005469E806E7210D2719E44AB60
            Function 030412A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 03041A5B
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03041AF1
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03041B13
            Memory Dump Source
            • Source File: 00000000.00000002.2103783677.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3040000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
            • Instruction ID: a4f0afc9bd31553a54b034d888d5b00966481cbd4334edbaa9902259e3ac9d56
            • Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
            • Instruction Fuzzy Hash: 62621974A15218DBEB24CFA4C850BDEB376EF58300F1095A9D10DEB390E77A9E81CB59
            Function 00E197E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB5045: _fseek.LIBCMT ref: 00DB505D
              • Part of subcall function 00E199BE: _wcscmp.LIBCMT ref: 00E19AAE
              • Part of subcall function 00E199BE: _wcscmp.LIBCMT ref: 00E19AC1
            • _free.LIBCMT ref: 00E1992C
            • _free.LIBCMT ref: 00E19933
            • _free.LIBCMT ref: 00E1999E
              • Part of subcall function 00DD2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00DD9C64), ref: 00DD2FA9
              • Part of subcall function 00DD2F95: GetLastError.KERNEL32(00000000,?,00DD9C64), ref: 00DD2FBB
            • _free.LIBCMT ref: 00E199A6
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
            • String ID:
            • API String ID: 1552873950-0
            • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
            • Instruction ID: 403166e37b69326ec9c2bda3635a63c93fd3351644acd3aa5c0ca411d47cefbd
            • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
            • Instruction Fuzzy Hash: F8514FB1D04218AFDF249F65DC41ADEBBB9EF48310F1004AEB609A7241DB715A80CF69
            Function 00DD493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
            • String ID:
            • API String ID: 2782032738-0
            • Opcode ID: 6b900c82ae833c016f0ad4fafe5841f230cacf6ecaddb2f96621bb99e00bcb06
            • Instruction ID: 51a4515d72d387282f58712ee06fd2523e4045e48a0a0058c8f65d94ebc655fc
            • Opcode Fuzzy Hash: 6b900c82ae833c016f0ad4fafe5841f230cacf6ecaddb2f96621bb99e00bcb06
            • Instruction Fuzzy Hash: EC41D5706406069BDF28CFAAC8909AF77AAEF80364B28813FE855C7740D770DD408B74
            Function 00DB4DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _memmove
            • String ID: AU3!P/$EA06
            • API String ID: 4104443479-182974850
            • Opcode ID: a390387629a8b7b0c4733d6915d3d8dadddaa65684a1e4d8b91a150f47150228
            • Instruction ID: c4273c27a0216daac81bd45a7c768109d318c8227d97352d24f0aa675291ab32
            • Opcode Fuzzy Hash: a390387629a8b7b0c4733d6915d3d8dadddaa65684a1e4d8b91a150f47150228
            • Instruction Fuzzy Hash: 25415922A04154EBDF21DB6498617FE7FA6EF05300F6C4465F883AB287CA21DD4487B1
            Function 00DB73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00DEEE62
            • GetOpenFileNameW.COMDLG32(?), ref: 00DEEEAC
              • Part of subcall function 00DB48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DB48A1,?,?,00DB37C0,?), ref: 00DB48CE
              • Part of subcall function 00DD09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DD09F4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Name$Path$FileFullLongOpen_memset
            • String ID: X
            • API String ID: 3777226403-3081909835
            • Opcode ID: 6d90a90790129622427671c9a6ffbb7945b4abf5c3c489a1d8cb6e025f191016
            • Instruction ID: 9e845837a37c7d1871e9b3560074cec57413904ad273b3cb6386140589bf0d81
            • Opcode Fuzzy Hash: 6d90a90790129622427671c9a6ffbb7945b4abf5c3c489a1d8cb6e025f191016
            • Instruction Fuzzy Hash: D421A170A002989BCB11DF94C845BEE7BFC9F89714F04801AE409F7282DBB499898FB1
            Function 00E1901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: __fread_nolock_memmove
            • String ID: EA06
            • API String ID: 1988441806-3962188686
            • Opcode ID: 54cf71aeeab781c0b32d3cdcec2e7332abf2a28f8f72601ce2ac72e11e6e4fd3
            • Instruction ID: 62404e1038df38ef296b71009ad0a3b39773352425409dd593345d9bbf4e3c6d
            • Opcode Fuzzy Hash: 54cf71aeeab781c0b32d3cdcec2e7332abf2a28f8f72601ce2ac72e11e6e4fd3
            • Instruction Fuzzy Hash: 2001B9719042587EDB28D6A8DC56EFEBBF8DB15301F00419BF552E2281E575A6049B70
            Function 00E19B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
            Download Yara Rule
            APIs
            • GetTempPathW.KERNEL32(00000104,?), ref: 00E19B82
            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00E19B99
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Temp$FileNamePath
            • String ID: aut
            • API String ID: 3285503233-3010740371
            • Opcode ID: 1909f62eb420000cf451bb16b49b7f617ee0e72b877a01b1faa84d5b39ba4dfc
            • Instruction ID: aab6523c6ed003cc5e5f1aa3ca78729221ddd1362469728e55e5988c66f2b588
            • Opcode Fuzzy Hash: 1909f62eb420000cf451bb16b49b7f617ee0e72b877a01b1faa84d5b39ba4dfc
            • Instruction Fuzzy Hash: D5D0177998030DABDA109A90AC0EF9ABB2CA704701F0042A1BA64A10A1EEB055988A91
            Function 00E2CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 05fceeabee190aec5a068a07da106074466af8cbc57f47015cd9c66f715bc124
            • Instruction ID: c1812573fbb977a5b76fb509361064dbd8787799fa09965f8516a3dbcb825515
            • Opcode Fuzzy Hash: 05fceeabee190aec5a068a07da106074466af8cbc57f47015cd9c66f715bc124
            • Instruction Fuzzy Hash: B2F15871608350DFC714DF28D880A6ABBE5FF88314F14992DF99AAB251D730E945CF92
            Function 00DB43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00DB4401
            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00DB44A6
            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00DB44C3
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: IconNotifyShell_$_memset
            • String ID:
            • API String ID: 1505330794-0
            • Opcode ID: 7707feec82da7878e49463af0e48508116e8574df4e4aeaff8f13eca1f449400
            • Instruction ID: 37745f947935e6ba82dc1f822943d2af179398cf2a196cdc3098a57944e6f681
            • Opcode Fuzzy Hash: 7707feec82da7878e49463af0e48508116e8574df4e4aeaff8f13eca1f449400
            • Instruction Fuzzy Hash: 13316170504741CFD760DF25D8847D7BBE8FB49308F04092EF59A93252D7B5A958CBA2
            Function 00DD594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • __FF_MSGBANNER.LIBCMT ref: 00DD5963
              • Part of subcall function 00DDA3AB: __NMSG_WRITE.LIBCMT ref: 00DDA3D2
              • Part of subcall function 00DDA3AB: __NMSG_WRITE.LIBCMT ref: 00DDA3DC
            • __NMSG_WRITE.LIBCMT ref: 00DD596A
              • Part of subcall function 00DDA408: GetModuleFileNameW.KERNEL32(00000000,00E743BA,00000104,?,00000001,00000000), ref: 00DDA49A
              • Part of subcall function 00DDA408: ___crtMessageBoxW.LIBCMT ref: 00DDA548
              • Part of subcall function 00DD32DF: ___crtCorExitProcess.LIBCMT ref: 00DD32E5
              • Part of subcall function 00DD32DF: ExitProcess.KERNEL32 ref: 00DD32EE
              • Part of subcall function 00DD8D68: __getptd_noexit.LIBCMT ref: 00DD8D68
            • RtlAllocateHeap.NTDLL(00FB0000,00000000,00000001,00000000,?,?,?,00DD1013,?), ref: 00DD598F
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
            • String ID:
            • API String ID: 1372826849-0
            • Opcode ID: da41ac73d783e20474c070897a23cdbdb3dbd065146a60f6905b55343994121d
            • Instruction ID: 0c34e632910b017ecfa4d9cc292d0f4f861db4d8fd531a26e040f6cc8f6f61d1
            • Opcode Fuzzy Hash: da41ac73d783e20474c070897a23cdbdb3dbd065146a60f6905b55343994121d
            • Instruction Fuzzy Hash: D301F531241B15DEE6227B66FC62A2E7249CF51770F14002BF405AA3D1DF70DD418B75
            Function 00E19B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00E197D2,?,?,?,?,?,00000004), ref: 00E19B45
            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00E197D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00E19B5B
            • CloseHandle.KERNEL32(00000000,?,00E197D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E19B62
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: File$CloseCreateHandleTime
            • String ID:
            • API String ID: 3397143404-0
            • Opcode ID: 9e80002c9f213457ed26f7057f3d3e32fe50b52ff1e2ee329eb62c360db37104
            • Instruction ID: 25ef95496966c419369bdee1b54498e3e3c920f15fb596a4bd1519dfe0405510
            • Opcode Fuzzy Hash: 9e80002c9f213457ed26f7057f3d3e32fe50b52ff1e2ee329eb62c360db37104
            • Instruction Fuzzy Hash: 90E08632581318BBD7211B55FC0DFDA7F68AB05765F104220FB64790E187B125159798
            Function 00E18F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00E18FA5
              • Part of subcall function 00DD2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00DD9C64), ref: 00DD2FA9
              • Part of subcall function 00DD2F95: GetLastError.KERNEL32(00000000,?,00DD9C64), ref: 00DD2FBB
            • _free.LIBCMT ref: 00E18FB6
            • _free.LIBCMT ref: 00E18FC8
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
            • Instruction ID: 0a44cac538ed9a3116cdcbb6c31bfa64d5fecb6b2d1d0de0c71e0c2d9cfed8d7
            • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
            • Instruction Fuzzy Hash: 1BE012B17097054ACA24A679AE40EE757EE9F4C3547181C1EB409EB242DF24E8828134
            Function 00DBAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID:
            • String ID: CALL
            • API String ID: 0-4196123274
            • Opcode ID: 95055b08f9d5ea284c226c1f21da94c34a0da6a07275ef0435a76b1adc4c93a3
            • Instruction ID: c7cc00c7409aa0d0e066506acc43bdf810f85b1ae77a99f212eced1dee092056
            • Opcode Fuzzy Hash: 95055b08f9d5ea284c226c1f21da94c34a0da6a07275ef0435a76b1adc4c93a3
            • Instruction Fuzzy Hash: 60223774508341DFC724DF18C494BAABBE1FF85300F19895DE89A9B262D771EC85CBA2
            Function 00DB492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
            Download Yara Rule
            APIs
            • IsThemeActive.UXTHEME ref: 00DB4992
              • Part of subcall function 00DD35AC: __lock.LIBCMT ref: 00DD35B2
              • Part of subcall function 00DD35AC: DecodePointer.KERNEL32(00000001,?,00DB49A7,00E081BC), ref: 00DD35BE
              • Part of subcall function 00DD35AC: EncodePointer.KERNEL32(?,?,00DB49A7,00E081BC), ref: 00DD35C9
              • Part of subcall function 00DB4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00DB4A73
              • Part of subcall function 00DB4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00DB4A88
              • Part of subcall function 00DB3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DB3B7A
              • Part of subcall function 00DB3B4C: IsDebuggerPresent.KERNEL32 ref: 00DB3B8C
              • Part of subcall function 00DB3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00E762F8,00E762E0,?,?), ref: 00DB3BFD
              • Part of subcall function 00DB3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00DB3C81
            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00DB49D2
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
            • String ID:
            • API String ID: 1438897964-0
            • Opcode ID: b59c02b5fdd83de8312f5746980bf22a7aefa4d6ea4d39c39f37fe04525020fb
            • Instruction ID: 77a857c50a978c3b753cd62332df99649fa99df1f53c29d8849e4f5530a21edf
            • Opcode Fuzzy Hash: b59c02b5fdd83de8312f5746980bf22a7aefa4d6ea4d39c39f37fe04525020fb
            • Instruction Fuzzy Hash: 98119D719183519FC700DF2AEC0594AFFE8EF95710F00451EF19AA72B2DB709588CBA6
            Function 00DB5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00DB5981,?,?,?,?), ref: 00DB5E27
            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00DB5981,?,?,?,?), ref: 00DEE19C
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: 05e6f458238db5e2b0fd067324aa3bd27e6050d0b10312b9a762f9698d9ab330
            • Instruction ID: 5e1b178107c4eacd3d6cac37135f08045865ebe038e396bf637e2b13240d4c40
            • Opcode Fuzzy Hash: 05e6f458238db5e2b0fd067324aa3bd27e6050d0b10312b9a762f9698d9ab330
            • Instruction Fuzzy Hash: 6E019670244708FEF3251E14DC8AFB67BDCEB05768F148314FAE66A1D0C6B05E458B60
            Function 00DD0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00DD594C: __FF_MSGBANNER.LIBCMT ref: 00DD5963
              • Part of subcall function 00DD594C: __NMSG_WRITE.LIBCMT ref: 00DD596A
              • Part of subcall function 00DD594C: RtlAllocateHeap.NTDLL(00FB0000,00000000,00000001,00000000,?,?,?,00DD1013,?), ref: 00DD598F
            • std::exception::exception.LIBCMT ref: 00DD102C
            • __CxxThrowException@8.LIBCMT ref: 00DD1041
              • Part of subcall function 00DD87DB: RaiseException.KERNEL32(?,?,?,00E6BAF8,00000000,?,?,?,?,00DD1046,?,00E6BAF8,?,00000001), ref: 00DD8830
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
            • String ID:
            • API String ID: 3902256705-0
            • Opcode ID: 36c80f2f93f54b242e971a99100ed8bcea8d595d5515451c472a6422f7bdf301
            • Instruction ID: 7fc5f7a7fb73ad46c4f35e1abaf7b260cc4286cbe798e361c4d3d56cc82a1514
            • Opcode Fuzzy Hash: 36c80f2f93f54b242e971a99100ed8bcea8d595d5515451c472a6422f7bdf301
            • Instruction Fuzzy Hash: 07F0A439540219B7CB21BA98FC069EF7BACDF00761F50042BF904A6791DFB18A8496B5
            Function 00DD582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: __lock_file_memset
            • String ID:
            • API String ID: 26237723-0
            • Opcode ID: cac2b8681814f5fcb3d0d047d34b659e7f3578f8ccb629557978d2853348cd06
            • Instruction ID: 06a8d34bc67a295b5c7fea6465a0433d9ef801e90f2ff798bb4a07197853909d
            • Opcode Fuzzy Hash: cac2b8681814f5fcb3d0d047d34b659e7f3578f8ccb629557978d2853348cd06
            • Instruction Fuzzy Hash: B1014471800609EBCF12AF69DC0699E7B65EF40360F198217F8245A3A5DB31CA51FBB1
            Function 00DD55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00DD8D68: __getptd_noexit.LIBCMT ref: 00DD8D68
            • __lock_file.LIBCMT ref: 00DD561B
              • Part of subcall function 00DD6E4E: __lock.LIBCMT ref: 00DD6E71
            • __fclose_nolock.LIBCMT ref: 00DD5626
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
            • String ID:
            • API String ID: 2800547568-0
            • Opcode ID: 7a340a15d9d9f374030eae5f0cb3579b90299f452185d30297de9230b54173fc
            • Instruction ID: 8f389ae79c0b63ffefb57a91771b5b8fb4a6977a5c4c1a2a810cfa0e030cbd95
            • Opcode Fuzzy Hash: 7a340a15d9d9f374030eae5f0cb3579b90299f452185d30297de9230b54173fc
            • Instruction Fuzzy Hash: CAF0BB71840B049AD7217F79A80275E77A19F41374F558207F465AB3C5CF7CC9019B75
            Function 0304129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 03041A5B
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03041AF1
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03041B13
            Memory Dump Source
            • Source File: 00000000.00000002.2103783677.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3040000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
            • Instruction ID: b2db96474e39d17f4719f8af3f165efb6d795a4bd8a731e98c8cea5c9f3494a4
            • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
            • Instruction Fuzzy Hash: EB12DE24E24658C6EB24DF60D8507DEB272EF68300F1090E9910DEB7A5E77A4F81CF5A
            Function 00DBF3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b8204ffb721d0b8cf222ee1075889514ca900138ea801adf5dbf1a3c19d7f749
            • Instruction ID: 81a2d2b09b3fa98ce04524e663520c7079c885a71e4b2e4564c9eef5ac6d0b7b
            • Opcode Fuzzy Hash: b8204ffb721d0b8cf222ee1075889514ca900138ea801adf5dbf1a3c19d7f749
            • Instruction Fuzzy Hash: F661787460020ADFDB20EF64C991ABBB7E5EF49300F188479EA479B241E771ED51CBA1
            Function 00DC2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f888a73a01c3bd74e46f385ad7cd492500fdecaad020f888c1fb1f901869ce67
            • Instruction ID: f8afb880765ae72bd5d237dd6ea7c19ea2b3bd37dd6092e912ce9ec1d8fcc3c9
            • Opcode Fuzzy Hash: f888a73a01c3bd74e46f385ad7cd492500fdecaad020f888c1fb1f901869ce67
            • Instruction Fuzzy Hash: E5515E35600605EBCF14EB64C991FBEB7A6EF85310F198168F946AB396CB30ED048B75
            Function 00DB5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
            Download Yara Rule
            APIs
            • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00DB5CF6
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: FilePointer
            • String ID:
            • API String ID: 973152223-0
            • Opcode ID: d4f6e179bb3f384b4f269016e5222dc7b11375686e5609b1c1858d967800ec48
            • Instruction ID: aab1f0d6bff1fb6a79023c6bfad3cb327fc7ec9627a52f0d66c1c8147ccfe6b6
            • Opcode Fuzzy Hash: d4f6e179bb3f384b4f269016e5222dc7b11375686e5609b1c1858d967800ec48
            • Instruction Fuzzy Hash: A9313D71A00B09EBCB18DF29D48479DBBB6FF48310F188619D81A93754D771A950DBA0
            Function 00DF00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ClearVariant
            • String ID:
            • API String ID: 1473721057-0
            • Opcode ID: 87e95d9bbb88ec48af4eb9360be9bfb18c35b4951569206d6b0fa0b8d4e7fd23
            • Instruction ID: d36a7e960182a75366f93ee159d83aa47b4d415cbd04effe759ac28d227573c0
            • Opcode Fuzzy Hash: 87e95d9bbb88ec48af4eb9360be9bfb18c35b4951569206d6b0fa0b8d4e7fd23
            • Instruction Fuzzy Hash: 84410474604341DFDB24DF18C484B6ABBE0AF45318F09889CE98A8B362C772EC45CB62
            Function 00DB5B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _memmove
            • String ID:
            • API String ID: 4104443479-0
            • Opcode ID: 4571315d0a9bb4359420e8d281eab6ab4d5a0071ea703f077da96249364c6918
            • Instruction ID: 515b37c7906ccdf2af6af3540b52532c5fa1026071b83d1bf4592a7865cb76e3
            • Opcode Fuzzy Hash: 4571315d0a9bb4359420e8d281eab6ab4d5a0071ea703f077da96249364c6918
            • Instruction Fuzzy Hash: 5621D230A00A08EBDF106F56F8857AA7FF8FF14390F21846AE486D5114EBB194E4D775
            Function 00DB4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB4D13: FreeLibrary.KERNEL32(00000000,?), ref: 00DB4D4D
              • Part of subcall function 00DD548B: __wfsopen.LIBCMT ref: 00DD5496
            • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00E762F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DB4F6F
              • Part of subcall function 00DB4CC8: FreeLibrary.KERNEL32(00000000), ref: 00DB4D02
              • Part of subcall function 00DB4DD0: _memmove.LIBCMT ref: 00DB4E1A
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Library$Free$Load__wfsopen_memmove
            • String ID:
            • API String ID: 1396898556-0
            • Opcode ID: 234413dfb53905e9427531e22d233ab631aa223477a5e8454be8dc5a7d6229f5
            • Instruction ID: 2c8b07ff9aaed19df699bdad258196e85335eeb8a4d2889eb57a6c928ad2dff8
            • Opcode Fuzzy Hash: 234413dfb53905e9427531e22d233ab631aa223477a5e8454be8dc5a7d6229f5
            • Instruction Fuzzy Hash: 0911C131A00309EACB10FF70DC16BEE77A9DF84701F108429F542A7283DE719A059BB1
            Function 00DF01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ClearVariant
            • String ID:
            • API String ID: 1473721057-0
            • Opcode ID: ee1142c9a190ff4fbecdbedfc0f34dd4c56ceacd3b100571225c878b2aa2e3cf
            • Instruction ID: 0a2ae79918a1e41754aaa225da637d898b6a8c52e7098794663adb8a13a92b39
            • Opcode Fuzzy Hash: ee1142c9a190ff4fbecdbedfc0f34dd4c56ceacd3b100571225c878b2aa2e3cf
            • Instruction Fuzzy Hash: 3D210474A08341DFCB14DF18C445A6ABBE0FF84704F098968F98A57722D731E849CB62
            Function 00DB5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
            Download Yara Rule
            APIs
            • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00DB5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00DB5D76
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: FileRead
            • String ID:
            • API String ID: 2738559852-0
            • Opcode ID: a9d84a3f66523f7b00ce351cc20535e7c7c28b1c373db6ebd03a90efbacf0ed2
            • Instruction ID: f58fc4f01ab5ce3277819718573364069c8a10f0ce023aa0a5758ef1adb9a584
            • Opcode Fuzzy Hash: a9d84a3f66523f7b00ce351cc20535e7c7c28b1c373db6ebd03a90efbacf0ed2
            • Instruction Fuzzy Hash: F9110631200B05DFD3308F15E888BA6B7E9EF45760F14CA2EE5AB86A54D7B1E945CB60
            Function 00DB5BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _memmove
            • String ID:
            • API String ID: 4104443479-0
            • Opcode ID: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
            • Instruction ID: 31c3ef3db1a07d6e43201d7e462fa37d5aa1df88cfd36069ff08c2506ca2fadc
            • Opcode Fuzzy Hash: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
            • Instruction Fuzzy Hash: 83018FB9600642AFC305EB69D841E66FBA9FF8A3107148159F819C7702DB30EC21CBF0
            Function 00DD4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
            Download Yara Rule
            APIs
            • __lock_file.LIBCMT ref: 00DD4AD6
              • Part of subcall function 00DD8D68: __getptd_noexit.LIBCMT ref: 00DD8D68
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: __getptd_noexit__lock_file
            • String ID:
            • API String ID: 2597487223-0
            • Opcode ID: 03783bc402692f09e960dd3a665cb01ea3c5063a81a0f8f7ee9fb51e0de20461
            • Instruction ID: 36b29ef047bc2c32b39cf87f4f7c7cadfa23f00f51f4bc03602ff960ef9009ae
            • Opcode Fuzzy Hash: 03783bc402692f09e960dd3a665cb01ea3c5063a81a0f8f7ee9fb51e0de20461
            • Instruction Fuzzy Hash: 7BF08C31940209ABDB62AF65CC0639E36A5EF00329F198516B424AA2D1DB788A50EF71
            Function 00DB4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
            Download Yara Rule
            APIs
            • FreeLibrary.KERNEL32(?,?,00E762F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DB4FDE
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: FreeLibrary
            • String ID:
            • API String ID: 3664257935-0
            • Opcode ID: 3e55577daaba46858ebe9ce2c3691aec7da0adfd2c9ef040950b4a23c54c07db
            • Instruction ID: 049a3eb2d43a1dad83140df72a1a87719a8ff32cc85dd6753cea043f1e49c293
            • Opcode Fuzzy Hash: 3e55577daaba46858ebe9ce2c3691aec7da0adfd2c9ef040950b4a23c54c07db
            • Instruction Fuzzy Hash: 95F03971505712CFCB34DF65E4948A2BBE1BF083293248A3EE1D783612CB71A844DF60
            Function 00DD09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DD09F4
              • Part of subcall function 00DB7D2C: _memmove.LIBCMT ref: 00DB7D66
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: LongNamePath_memmove
            • String ID:
            • API String ID: 2514874351-0
            • Opcode ID: 7b8e57c17b091ea779c139ed125b3e5fe21d68b1fc193cf8260f73700659e582
            • Instruction ID: b1097c70497ee5684d48d21e64e8ef132de9aee2adaed0b258260a3b4311f414
            • Opcode Fuzzy Hash: 7b8e57c17b091ea779c139ed125b3e5fe21d68b1fc193cf8260f73700659e582
            • Instruction Fuzzy Hash: DAE08636E042289BC720E659DC05FFA77ADDF89690F0401B5FC0CD7254D9609C8186A0
            Function 00E19129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: __fread_nolock
            • String ID:
            • API String ID: 2638373210-0
            • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
            • Instruction ID: b6fef3a3b81123ee4382a6933cb7995ebd7a00e2e8b4072093ddefe3d7946bef
            • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
            • Instruction Fuzzy Hash: 28E092B1204B005FD7348A24D810BE373E0EB06319F00081DF2DA93342EB6278818759
            Function 00DB5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
            Download Yara Rule
            APIs
            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00DEE16B,?,?,00000000), ref: 00DB5DBF
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: FilePointer
            • String ID:
            • API String ID: 973152223-0
            • Opcode ID: 19b1eec67a7f61517e69670b652d01e0552d98e99fa4eb2e43d1e8bc5b41a0dc
            • Instruction ID: 64647a2519f553d9e759ea8a87869a11bbc55671fab6ac98e50cc4792607eeb6
            • Opcode Fuzzy Hash: 19b1eec67a7f61517e69670b652d01e0552d98e99fa4eb2e43d1e8bc5b41a0dc
            • Instruction Fuzzy Hash: A4D0C77464020CBFE710DB81DC46FA97BBCD705710F100294FD0466290D6F27D548795
            Function 00DD548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: __wfsopen
            • String ID:
            • API String ID: 197181222-0
            • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
            • Instruction ID: e99affe6c373cb2789816aae53f19b72078613052c2bd4c633dbde1d8cec9f40
            • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
            • Instruction Fuzzy Hash: 43B0927684020C77DE112E82FC02A593B199B40679F808021FB0C18262A673A6A096AA
            Function 00DF220E Relevance: 1.5, APIs: 1, Instructions: 7COMMON
            Download Yara Rule
            APIs
            • GetTempPathW.KERNEL32(00000104,?), ref: 00DF221A
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: PathTemp
            • String ID:
            • API String ID: 2920410445-0
            • Opcode ID: d2587227563240f673f74011fce32936bbdc7ecb97793a611dab5d42f5cb892a
            • Instruction ID: d3120f4b27c69b315b42165fd55adfc82a5b729011d5c5a0f9281e1a154fbbab
            • Opcode Fuzzy Hash: d2587227563240f673f74011fce32936bbdc7ecb97793a611dab5d42f5cb892a
            • Instruction Fuzzy Hash: DEC04C7485401DDFEB15A750CC95AB9762CEF01701F1040D5B6459515095B05B44CE31
            Function 00E1D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(00000002,00000000), ref: 00E1D46A
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ErrorLast
            • String ID:
            • API String ID: 1452528299-0
            • Opcode ID: ef12e7705a926443a3db37c3d180b8a0695a77398eb566ae85eb31a360db3a27
            • Instruction ID: f82212c1074bb09a3cda4c896517aea42514e4d4da557d553310e96f43c11261
            • Opcode Fuzzy Hash: ef12e7705a926443a3db37c3d180b8a0695a77398eb566ae85eb31a360db3a27
            • Instruction Fuzzy Hash: E2713034208341DFC714EF24D891AEEB7E5EF88314F04556DF596AB2A2DB30E949CB62
            Function 00DD0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction ID: 65a8874955dce3cce5f1359d8d738d7e5881881f3b1fc460dfb6f1dbbda6277b
            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction Fuzzy Hash: 3531B271A00105DBC718DF59D480A69FBA6FF99310F688AA6E44ACB751DB31EDC1CBE0
            Function 030422A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNELBASE(000001F4), ref: 030422B1
            Memory Dump Source
            • Source File: 00000000.00000002.2103783677.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3040000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Sleep
            • String ID:
            • API String ID: 3472027048-0
            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction ID: d668eca4f08a61279d4ee9fb1f1137c1989e0bdb66c67398174e59f296caaf5f
            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction Fuzzy Hash: 68E0E67494110EEFDB00EFB8D64969E7FB4EF04301F1005A1FD01D2280D6309E508A72

            Non-executed Functions

            Function 00E3CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB2612: GetWindowLongW.USER32(?,000000EB), ref: 00DB2623
            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00E3CE50
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E3CE91
            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00E3CED6
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E3CF00
            • SendMessageW.USER32 ref: 00E3CF29
            • _wcsncpy.LIBCMT ref: 00E3CFA1
            • GetKeyState.USER32(00000011), ref: 00E3CFC2
            • GetKeyState.USER32(00000009), ref: 00E3CFCF
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E3CFE5
            • GetKeyState.USER32(00000010), ref: 00E3CFEF
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E3D018
            • SendMessageW.USER32 ref: 00E3D03F
            • SendMessageW.USER32(?,00001030,?,00E3B602), ref: 00E3D145
            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00E3D15B
            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00E3D16E
            • SetCapture.USER32(?), ref: 00E3D177
            • ClientToScreen.USER32(?,?), ref: 00E3D1DC
            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00E3D1E9
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E3D203
            • ReleaseCapture.USER32 ref: 00E3D20E
            • GetCursorPos.USER32(?), ref: 00E3D248
            • ScreenToClient.USER32(?,?), ref: 00E3D255
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E3D2B1
            • SendMessageW.USER32 ref: 00E3D2DF
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E3D31C
            • SendMessageW.USER32 ref: 00E3D34B
            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00E3D36C
            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00E3D37B
            • GetCursorPos.USER32(?), ref: 00E3D39B
            • ScreenToClient.USER32(?,?), ref: 00E3D3A8
            • GetParent.USER32(?), ref: 00E3D3C8
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E3D431
            • SendMessageW.USER32 ref: 00E3D462
            • ClientToScreen.USER32(?,?), ref: 00E3D4C0
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00E3D4F0
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E3D51A
            • SendMessageW.USER32 ref: 00E3D53D
            • ClientToScreen.USER32(?,?), ref: 00E3D58F
            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00E3D5C3
              • Part of subcall function 00DB25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DB25EC
            • GetWindowLongW.USER32(?,000000F0), ref: 00E3D65F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
            • String ID: @GUI_DRAGID$F$pr
            • API String ID: 3977979337-1436871235
            • Opcode ID: deb885c9ec5cfc75f0a74ff56195762f1b78b90ec47a8fc7457e1e32a7725024
            • Instruction ID: 4781c8c225f16427d0770eecea760417ab3dcb5b9cc609c4a4ec617714b2f0e2
            • Opcode Fuzzy Hash: deb885c9ec5cfc75f0a74ff56195762f1b78b90ec47a8fc7457e1e32a7725024
            • Instruction Fuzzy Hash: D842AD30608241AFD725CF29C848EAABFE5FF48318F24151DF69AB72A1C731D854DB92
            Function 00E3804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00E3873F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: %d/%02d/%02d
            • API String ID: 3850602802-328681919
            • Opcode ID: 5cd09b78fc3acdf68b57a9af30d15d307791126347483697cd4a4e8ad5f5d7be
            • Instruction ID: 7c1cfbe2afe584302569a702e50a54acf9185b1be55e3a0360ee6eebce037a3e
            • Opcode Fuzzy Hash: 5cd09b78fc3acdf68b57a9af30d15d307791126347483697cd4a4e8ad5f5d7be
            • Instruction Fuzzy Hash: AE12AE71500308AFEB258F25CE4DFAA7FA5EF49714F20612AF915FB2A1DB708945CB60
            Function 00DC710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _memmove$_memset
            • String ID: 0w$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
            • API String ID: 1357608183-3460961967
            • Opcode ID: 914409acad636d6c78012b7b98c1a09040d1f8098b5e443de9d103ff586efa89
            • Instruction ID: e2fbd4b4a48195bcb4b26990cb2440edfadee77274eaa4df1622a1fa1298c844
            • Opcode Fuzzy Hash: 914409acad636d6c78012b7b98c1a09040d1f8098b5e443de9d103ff586efa89
            • Instruction Fuzzy Hash: 5A938F75A002169BDB24CFA8D885BADB7F1FF48314F24916AE955BB2C0E7709EC1CB50
            Function 00DB4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(00000000,?), ref: 00DB4A3D
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DEDA8E
            • IsIconic.USER32(?), ref: 00DEDA97
            • ShowWindow.USER32(?,00000009), ref: 00DEDAA4
            • SetForegroundWindow.USER32(?), ref: 00DEDAAE
            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00DEDAC4
            • GetCurrentThreadId.KERNEL32 ref: 00DEDACB
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00DEDAD7
            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00DEDAE8
            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00DEDAF0
            • AttachThreadInput.USER32(00000000,?,00000001), ref: 00DEDAF8
            • SetForegroundWindow.USER32(?), ref: 00DEDAFB
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DEDB10
            • keybd_event.USER32(00000012,00000000), ref: 00DEDB1B
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DEDB25
            • keybd_event.USER32(00000012,00000000), ref: 00DEDB2A
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DEDB33
            • keybd_event.USER32(00000012,00000000), ref: 00DEDB38
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DEDB42
            • keybd_event.USER32(00000012,00000000), ref: 00DEDB47
            • SetForegroundWindow.USER32(?), ref: 00DEDB4A
            • AttachThreadInput.USER32(?,?,00000000), ref: 00DEDB71
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
            • String ID: Shell_TrayWnd
            • API String ID: 4125248594-2988720461
            • Opcode ID: ac048435735081d11d72827e50dc7bea0e18905f1de96e7bbffb75aa847500cc
            • Instruction ID: 3fa01a650a4ccc097fe2320b05afd85242929c844a6ca3cbb4f149b5b6bf74ba
            • Opcode Fuzzy Hash: ac048435735081d11d72827e50dc7bea0e18905f1de96e7bbffb75aa847500cc
            • Instruction Fuzzy Hash: 4F315271E4031CBFEB216F629C4AF7E3E6DEB44B50F154025FA04BA1D1DAB09D00AAA0
            Function 00E08858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E08CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E08D0D
              • Part of subcall function 00E08CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E08D3A
              • Part of subcall function 00E08CC3: GetLastError.KERNEL32 ref: 00E08D47
            • _memset.LIBCMT ref: 00E0889B
            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00E088ED
            • CloseHandle.KERNEL32(?), ref: 00E088FE
            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00E08915
            • GetProcessWindowStation.USER32 ref: 00E0892E
            • SetProcessWindowStation.USER32(00000000), ref: 00E08938
            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00E08952
              • Part of subcall function 00E08713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E08851), ref: 00E08728
              • Part of subcall function 00E08713: CloseHandle.KERNEL32(?,?,00E08851), ref: 00E0873A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
            • String ID: $default$winsta0
            • API String ID: 2063423040-1027155976
            • Opcode ID: 72247526e41b41101232f6af5a0ad7143c523c8774bcc644417de75f1df1d8fd
            • Instruction ID: dfe53becf8170e727e8e44711f099ced70ada8efc4372179f9563797aef6cbd1
            • Opcode Fuzzy Hash: 72247526e41b41101232f6af5a0ad7143c523c8774bcc644417de75f1df1d8fd
            • Instruction Fuzzy Hash: 85815F71D00209AFDF11DFA4DE49AEE7BB8EF04308F08516AF954B62A1DB358E54DB60
            Function 00E2425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
            Download Yara Rule
            APIs
            • OpenClipboard.USER32(00E3F910), ref: 00E24284
            • IsClipboardFormatAvailable.USER32(0000000D), ref: 00E24292
            • GetClipboardData.USER32(0000000D), ref: 00E2429A
            • CloseClipboard.USER32 ref: 00E242A6
            • GlobalLock.KERNEL32(00000000), ref: 00E242C2
            • CloseClipboard.USER32 ref: 00E242CC
            • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00E242E1
            • IsClipboardFormatAvailable.USER32(00000001), ref: 00E242EE
            • GetClipboardData.USER32(00000001), ref: 00E242F6
            • GlobalLock.KERNEL32(00000000), ref: 00E24303
            • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00E24337
            • CloseClipboard.USER32 ref: 00E24447
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
            • String ID:
            • API String ID: 3222323430-0
            • Opcode ID: 0d4742447cfb284c161f8e6b37e34196abbe2dc782ebb5ace50fd76f14ce4212
            • Instruction ID: 6b736fee5f52a8de62aa660b12d391e018314494f1b15e5c2a744257aae2bd5c
            • Opcode Fuzzy Hash: 0d4742447cfb284c161f8e6b37e34196abbe2dc782ebb5ace50fd76f14ce4212
            • Instruction Fuzzy Hash: 78517F71604215AFD311FF61EC9AFAE7BA8AF84B00F105529F556B21F1DF7099088B62
            Function 00E1C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 00E1C9F8
            • FindClose.KERNEL32(00000000), ref: 00E1CA4C
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E1CA71
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E1CA88
            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00E1CAAF
            • __swprintf.LIBCMT ref: 00E1CAFB
            • __swprintf.LIBCMT ref: 00E1CB3E
              • Part of subcall function 00DB7F41: _memmove.LIBCMT ref: 00DB7F82
            • __swprintf.LIBCMT ref: 00E1CB92
              • Part of subcall function 00DD38D8: __woutput_l.LIBCMT ref: 00DD3931
            • __swprintf.LIBCMT ref: 00E1CBE0
              • Part of subcall function 00DD38D8: __flsbuf.LIBCMT ref: 00DD3953
              • Part of subcall function 00DD38D8: __flsbuf.LIBCMT ref: 00DD396B
            • __swprintf.LIBCMT ref: 00E1CC2F
            • __swprintf.LIBCMT ref: 00E1CC7E
            • __swprintf.LIBCMT ref: 00E1CCCD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
            • API String ID: 3953360268-2428617273
            • Opcode ID: 241925cf3a20fde917fc434b97a0a126693f63e18b2300b6de7e377fd069f6c3
            • Instruction ID: 5fa7a4051a086a391cbca9fcf36e7a60c65f64cdaecd101874a10b85e3c0072e
            • Opcode Fuzzy Hash: 241925cf3a20fde917fc434b97a0a126693f63e18b2300b6de7e377fd069f6c3
            • Instruction Fuzzy Hash: A4A10BB1508344EBC700EB64D896DEFB7ECEF94704F404929B686D6291EA34DA48CB72
            Function 00E1F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00E1F221
            • _wcscmp.LIBCMT ref: 00E1F236
            • _wcscmp.LIBCMT ref: 00E1F24D
            • GetFileAttributesW.KERNEL32(?), ref: 00E1F25F
            • SetFileAttributesW.KERNEL32(?,?), ref: 00E1F279
            • FindNextFileW.KERNEL32(00000000,?), ref: 00E1F291
            • FindClose.KERNEL32(00000000), ref: 00E1F29C
            • FindFirstFileW.KERNEL32(*.*,?), ref: 00E1F2B8
            • _wcscmp.LIBCMT ref: 00E1F2DF
            • _wcscmp.LIBCMT ref: 00E1F2F6
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00E1F308
            • SetCurrentDirectoryW.KERNEL32(00E6A5A0), ref: 00E1F326
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E1F330
            • FindClose.KERNEL32(00000000), ref: 00E1F33D
            • FindClose.KERNEL32(00000000), ref: 00E1F34F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
            • String ID: *.*
            • API String ID: 1803514871-438819550
            • Opcode ID: 0289381235f4603bcaf627074d2a09ee9746e6083a3de600ef1a5015e1b1d990
            • Instruction ID: 44a3e5315a41baafa222b3031667f174d2b1f5049fd1e7e551834deee6036778
            • Opcode Fuzzy Hash: 0289381235f4603bcaf627074d2a09ee9746e6083a3de600ef1a5015e1b1d990
            • Instruction Fuzzy Hash: 3031B4769002196FDB10DBB5EC58ADE77AC9F48365F141176F815F30A0EB30DA85CAA0
            Function 00E30AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
            Download Yara Rule
            APIs
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E30BDE
            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00E3F910,00000000,?,00000000,?,?), ref: 00E30C4C
            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00E30C94
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00E30D1D
            • RegCloseKey.ADVAPI32(?), ref: 00E3103D
            • RegCloseKey.ADVAPI32(00000000), ref: 00E3104A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Close$ConnectCreateRegistryValue
            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
            • API String ID: 536824911-966354055
            • Opcode ID: 84f1638e23ab85e3f5b2218a7c1322d5b8425a72a39346b8db490c7d5930e6cd
            • Instruction ID: 7abbae2894f9be668a91d882f4f347bc99246aea55baa6a29d26eb222857f9ac
            • Opcode Fuzzy Hash: 84f1638e23ab85e3f5b2218a7c1322d5b8425a72a39346b8db490c7d5930e6cd
            • Instruction Fuzzy Hash: BE025B752006419FCB14EF24C895E6ABBE5EF89714F04985DF98AAB362CB30ED41CB61
            Function 00E1F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00E1F37E
            • _wcscmp.LIBCMT ref: 00E1F393
            • _wcscmp.LIBCMT ref: 00E1F3AA
              • Part of subcall function 00E145C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00E145DC
            • FindNextFileW.KERNEL32(00000000,?), ref: 00E1F3D9
            • FindClose.KERNEL32(00000000), ref: 00E1F3E4
            • FindFirstFileW.KERNEL32(*.*,?), ref: 00E1F400
            • _wcscmp.LIBCMT ref: 00E1F427
            • _wcscmp.LIBCMT ref: 00E1F43E
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00E1F450
            • SetCurrentDirectoryW.KERNEL32(00E6A5A0), ref: 00E1F46E
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E1F478
            • FindClose.KERNEL32(00000000), ref: 00E1F485
            • FindClose.KERNEL32(00000000), ref: 00E1F497
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
            • String ID: *.*
            • API String ID: 1824444939-438819550
            • Opcode ID: 04b20aaee95a60ac8740adbbda84111cf35878d9d77118607ebceacd69eb062b
            • Instruction ID: 0ff31e3e0afbbb4867680f40611605d4375cbd464996c705574b8a5b0275f31b
            • Opcode Fuzzy Hash: 04b20aaee95a60ac8740adbbda84111cf35878d9d77118607ebceacd69eb062b
            • Instruction Fuzzy Hash: 6F31C57290121D6FCB10DFA4EC98ADF77AC9F49365F141276E864B31A0DB30DAC4CAA4
            Function 00E081F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E0874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E08766
              • Part of subcall function 00E0874A: GetLastError.KERNEL32(?,00E0822A,?,?,?), ref: 00E08770
              • Part of subcall function 00E0874A: GetProcessHeap.KERNEL32(00000008,?,?,00E0822A,?,?,?), ref: 00E0877F
              • Part of subcall function 00E0874A: HeapAlloc.KERNEL32(00000000,?,00E0822A,?,?,?), ref: 00E08786
              • Part of subcall function 00E0874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E0879D
              • Part of subcall function 00E087E7: GetProcessHeap.KERNEL32(00000008,00E08240,00000000,00000000,?,00E08240,?), ref: 00E087F3
              • Part of subcall function 00E087E7: HeapAlloc.KERNEL32(00000000,?,00E08240,?), ref: 00E087FA
              • Part of subcall function 00E087E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E08240,?), ref: 00E0880B
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E0825B
            • _memset.LIBCMT ref: 00E08270
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E0828F
            • GetLengthSid.ADVAPI32(?), ref: 00E082A0
            • GetAce.ADVAPI32(?,00000000,?), ref: 00E082DD
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E082F9
            • GetLengthSid.ADVAPI32(?), ref: 00E08316
            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E08325
            • HeapAlloc.KERNEL32(00000000), ref: 00E0832C
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E0834D
            • CopySid.ADVAPI32(00000000), ref: 00E08354
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E08385
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E083AB
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E083BF
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
            • String ID:
            • API String ID: 3996160137-0
            • Opcode ID: f28d6d70227b04e52969590fdc1142e47b65fc61ca3e30aed5b684e86aac208e
            • Instruction ID: d1ddcfd1882df13a0eb03cd604932d50928e3fc90b12b81b74e3bbaa1c237669
            • Opcode Fuzzy Hash: f28d6d70227b04e52969590fdc1142e47b65fc61ca3e30aed5b684e86aac208e
            • Instruction Fuzzy Hash: 90617870900209EFCF048FA5DE89EAEBBB9FF44714F049129E855B6291DB359A49CF60
            Function 00DC6843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID:
            • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$PJ$UCP)$UTF)$UTF16)
            • API String ID: 0-1624373025
            • Opcode ID: f3ae9b4b2187ba07ffa5e67c103d13f2e7cb9bb189a9227378c952007747ebcb
            • Instruction ID: 13909577e620817b59eb7eae1ad238cc9a73c6ae0d8835f1607b49398964105f
            • Opcode Fuzzy Hash: f3ae9b4b2187ba07ffa5e67c103d13f2e7cb9bb189a9227378c952007747ebcb
            • Instruction Fuzzy Hash: E0726275E0021A9BDB14CF59D881BADB7B5FF88310F1491AAE945FB290D770DD81CBA0
            Function 00E30665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E310A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E30038,?,?), ref: 00E310BC
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E30737
              • Part of subcall function 00DB9997: __itow.LIBCMT ref: 00DB99C2
              • Part of subcall function 00DB9997: __swprintf.LIBCMT ref: 00DB9A0C
            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00E307D6
            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00E3086E
            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00E30AAD
            • RegCloseKey.ADVAPI32(00000000), ref: 00E30ABA
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
            • String ID:
            • API String ID: 1240663315-0
            • Opcode ID: f692a4a256642e196fd23054415e545d107c10ff80c7b61920906e18c27e58a6
            • Instruction ID: 107fd73f8d86fb6f585f384111d15ad95278b9cf9afdde1e104885a76b16859c
            • Opcode Fuzzy Hash: f692a4a256642e196fd23054415e545d107c10ff80c7b61920906e18c27e58a6
            • Instruction Fuzzy Hash: 39E15D31604304AFCB14DF29C895E6ABBE5EF89714F04956DF44AEB262DB30ED05CB61
            Function 00E10219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?), ref: 00E10241
            • GetAsyncKeyState.USER32(000000A0), ref: 00E102C2
            • GetKeyState.USER32(000000A0), ref: 00E102DD
            • GetAsyncKeyState.USER32(000000A1), ref: 00E102F7
            • GetKeyState.USER32(000000A1), ref: 00E1030C
            • GetAsyncKeyState.USER32(00000011), ref: 00E10324
            • GetKeyState.USER32(00000011), ref: 00E10336
            • GetAsyncKeyState.USER32(00000012), ref: 00E1034E
            • GetKeyState.USER32(00000012), ref: 00E10360
            • GetAsyncKeyState.USER32(0000005B), ref: 00E10378
            • GetKeyState.USER32(0000005B), ref: 00E1038A
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: State$Async$Keyboard
            • String ID:
            • API String ID: 541375521-0
            • Opcode ID: 615d80f18c27e797fb8afe4d3c6a475a009df55e6c975581ac52b6cab1ab9563
            • Instruction ID: 21f3b4d075c2aa223a2e5bc944b9b9c4d13e7d09508e625e86f110858e96b274
            • Opcode Fuzzy Hash: 615d80f18c27e797fb8afe4d3c6a475a009df55e6c975581ac52b6cab1ab9563
            • Instruction Fuzzy Hash: 864189349047C9AFFF319A6488083E5BFA06F16348F08509DD9D6A61D3E7E45DC8C7A2
            Function 00E286D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB9997: __itow.LIBCMT ref: 00DB99C2
              • Part of subcall function 00DB9997: __swprintf.LIBCMT ref: 00DB9A0C
            • CoInitialize.OLE32 ref: 00E28718
            • CoUninitialize.OLE32 ref: 00E28723
            • CoCreateInstance.OLE32(?,00000000,00000017,00E42BEC,?), ref: 00E28783
            • IIDFromString.OLE32(?,?), ref: 00E287F6
            • VariantInit.OLEAUT32(?), ref: 00E28890
            • VariantClear.OLEAUT32(?), ref: 00E288F1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
            • API String ID: 834269672-1287834457
            • Opcode ID: 206314ad5147a192c5cc9dd661da6c1903612deda54f65f2c54ee868cd051dbe
            • Instruction ID: 4ccb3b675549fd54c4e447c03e9217ecaf83f61d1c1c4038709fb1cbac4b8b87
            • Opcode Fuzzy Hash: 206314ad5147a192c5cc9dd661da6c1903612deda54f65f2c54ee868cd051dbe
            • Instruction Fuzzy Hash: FD61C3306093119FD718DF24DA48B5ABBE4EF44714F54581EF585AB291CB70ED48CBA2
            Function 00E24458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
            • String ID:
            • API String ID: 1737998785-0
            • Opcode ID: 914cd7c05126def2604283baf0d035d683145881b3372cd7045cb2971330cd41
            • Instruction ID: e3df8e1497dbee051dd60a80a9db6d9e4d6e5cba44e4271b51dcda3efc001b94
            • Opcode Fuzzy Hash: 914cd7c05126def2604283baf0d035d683145881b3372cd7045cb2971330cd41
            • Instruction Fuzzy Hash: AD2180756006249FDB10AF21EC19B6A7BA8EF54714F108016F946EB2B1CB30AD04CBA4
            Function 00E13A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DB48A1,?,?,00DB37C0,?), ref: 00DB48CE
              • Part of subcall function 00E14CD3: GetFileAttributesW.KERNEL32(?,00E13947), ref: 00E14CD4
            • FindFirstFileW.KERNEL32(?,?), ref: 00E13ADF
            • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00E13B87
            • MoveFileW.KERNEL32(?,?), ref: 00E13B9A
            • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00E13BB7
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E13BD9
            • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00E13BF5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
            • String ID: \*.*
            • API String ID: 4002782344-1173974218
            • Opcode ID: 5e71b828c99ea8594342cfcd1bf3ffe1d08f60ffd295cf63edaf494a809e72bc
            • Instruction ID: ccc1e8448ab9c1ba7098c19bc00f0be465be0968b6784077d222625f890f0a16
            • Opcode Fuzzy Hash: 5e71b828c99ea8594342cfcd1bf3ffe1d08f60ffd295cf63edaf494a809e72bc
            • Instruction Fuzzy Hash: 96516A3180524DABCB15EBA0DE92DEDB7B9AF54304F6451A9E40277192EF206F49CBB0
            Function 00E1F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB7F41: _memmove.LIBCMT ref: 00DB7F82
            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00E1F6AB
            • Sleep.KERNEL32(0000000A), ref: 00E1F6DB
            • _wcscmp.LIBCMT ref: 00E1F6EF
            • _wcscmp.LIBCMT ref: 00E1F70A
            • FindNextFileW.KERNEL32(?,?), ref: 00E1F7A8
            • FindClose.KERNEL32(00000000), ref: 00E1F7BE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
            • String ID: *.*
            • API String ID: 713712311-438819550
            • Opcode ID: 225494b5ff77f2f4f811f81ce59efda66c971d32a8c287cd7fc45b0639d5abe0
            • Instruction ID: 6263549d3d9d410f0f6ad077eb57102a3d53d8c498baef9702dd7fbf8b2ab94c
            • Opcode Fuzzy Hash: 225494b5ff77f2f4f811f81ce59efda66c971d32a8c287cd7fc45b0639d5abe0
            • Instruction Fuzzy Hash: 4541507191021AAFDF15DF64CC89AEEBBB4FF05314F144566E815B31A1DB309E84CBA0
            Function 00DC4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID:
            • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
            • API String ID: 0-1546025612
            • Opcode ID: 246dac8a1a65c130b98b72fda383866e0619d4b6d2dc2e000db987c1df22be30
            • Instruction ID: 32c7741799ff8f61fea60af105a895442e1bc480b0b32cbdc8e07bf545ca6f46
            • Opcode Fuzzy Hash: 246dac8a1a65c130b98b72fda383866e0619d4b6d2dc2e000db987c1df22be30
            • Instruction Fuzzy Hash: 0BA27D70E0421ACBDF24CF58C960BFDB7B1AF54314F2981AAE955A7284DB709E81DF60
            Function 00DC58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _memmove
            • String ID:
            • API String ID: 4104443479-0
            • Opcode ID: 1d21f585c98c2566fc71f0a07125d83bea3c73b54cd602d9d7e4f7295c29ee5c
            • Instruction ID: c1273a5fe0aac718fc248309fc4be65f2815ff46ce58ecf0f918a3b8386c6062
            • Opcode Fuzzy Hash: 1d21f585c98c2566fc71f0a07125d83bea3c73b54cd602d9d7e4f7295c29ee5c
            • Instruction Fuzzy Hash: D3128970A0060ADFDF04DFA5E981BEEB7B5FF48300F104169E446A7295EB35AD95CB60
            Function 00E1545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E08CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E08D0D
              • Part of subcall function 00E08CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E08D3A
              • Part of subcall function 00E08CC3: GetLastError.KERNEL32 ref: 00E08D47
            • ExitWindowsEx.USER32(?,00000000), ref: 00E1549B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
            • String ID: $@$SeShutdownPrivilege
            • API String ID: 2234035333-194228
            • Opcode ID: 0206c6a7fd35cc1fb9027bc4c6bf846e44f0b4c6fc2fd5aac6aa06b46ba57c6b
            • Instruction ID: 9c8907183676c2426e39f5ca7c245fcfddf316aa9bc9044c6118c0ff63a14620
            • Opcode Fuzzy Hash: 0206c6a7fd35cc1fb9027bc4c6bf846e44f0b4c6fc2fd5aac6aa06b46ba57c6b
            • Instruction Fuzzy Hash: 0A01D832A55B15AEE7285678AC4ABFB7258AB85352F242531FC27F21D2D6B01CC04590
            Function 00E26596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00E265EF
            • WSAGetLastError.WSOCK32(00000000), ref: 00E265FE
            • bind.WSOCK32(00000000,?,00000010), ref: 00E2661A
            • listen.WSOCK32(00000000,00000005), ref: 00E26629
            • WSAGetLastError.WSOCK32(00000000), ref: 00E26643
            • closesocket.WSOCK32(00000000,00000000), ref: 00E26657
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ErrorLast$bindclosesocketlistensocket
            • String ID:
            • API String ID: 1279440585-0
            • Opcode ID: 6ec25b2baf3bc49d4b2e28929601511432e8e36b13c32ad610a1b3052e7072c1
            • Instruction ID: ae0a25c6e6f373c0efa0dce42bb3f104547d398d7781ed20b5ffccfbc1add8c6
            • Opcode Fuzzy Hash: 6ec25b2baf3bc49d4b2e28929601511432e8e36b13c32ad610a1b3052e7072c1
            • Instruction Fuzzy Hash: 3121CE31600214AFCB10AF24D849F6EBBF9EF48324F148259E916B73D1CB30AD048B60
            Function 00DC5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DD0FF6: std::exception::exception.LIBCMT ref: 00DD102C
              • Part of subcall function 00DD0FF6: __CxxThrowException@8.LIBCMT ref: 00DD1041
            • _memmove.LIBCMT ref: 00E0062F
            • _memmove.LIBCMT ref: 00E00744
            • _memmove.LIBCMT ref: 00E007EB
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _memmove$Exception@8Throwstd::exception::exception
            • String ID:
            • API String ID: 1300846289-0
            • Opcode ID: 32dd0c1e52f691fb14b0bc6d536d11c6f2e074bbd88da08f3dc90bcef51f62f9
            • Instruction ID: 8093d7431b9ab7dfcdd92886d02627a3887f993d8739b1af1d84148a53e63a86
            • Opcode Fuzzy Hash: 32dd0c1e52f691fb14b0bc6d536d11c6f2e074bbd88da08f3dc90bcef51f62f9
            • Instruction Fuzzy Hash: FF028270A00205DFDF14DF64E981AAE7BB5FF84340F148069E806EB395EB35E995CBA1
            Function 00DB1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB2612: GetWindowLongW.USER32(?,000000EB), ref: 00DB2623
            • DefDlgProcW.USER32(?,?,?,?,?), ref: 00DB19FA
            • GetSysColor.USER32(0000000F), ref: 00DB1A4E
            • SetBkColor.GDI32(?,00000000), ref: 00DB1A61
              • Part of subcall function 00DB1290: DefDlgProcW.USER32(?,00000020,?), ref: 00DB12D8
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ColorProc$LongWindow
            • String ID:
            • API String ID: 3744519093-0
            • Opcode ID: a2b8309eec51e1b123e9e39866e19233164704ecd30b4d1735d694f4acab3a37
            • Instruction ID: 1b204f5fc0d5cdba74ceb2ee4c33d5571e7add264594ceb793a54bebb913a917
            • Opcode Fuzzy Hash: a2b8309eec51e1b123e9e39866e19233164704ecd30b4d1735d694f4acab3a37
            • Instruction Fuzzy Hash: 81A15979105585FEEA28AA2A9C7DDFF399CDB42355FA8011EF443F6191CA10FD02C2B2
            Function 00E26A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E280A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E280CB
            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00E26AB1
            • WSAGetLastError.WSOCK32(00000000), ref: 00E26ADA
            • bind.WSOCK32(00000000,?,00000010), ref: 00E26B13
            • WSAGetLastError.WSOCK32(00000000), ref: 00E26B20
            • closesocket.WSOCK32(00000000,00000000), ref: 00E26B34
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ErrorLast$bindclosesocketinet_addrsocket
            • String ID:
            • API String ID: 99427753-0
            • Opcode ID: 52cc7e8cfdd0fdf13cc173b438bb555402b64ba7ef5452181f7b38164a6e582b
            • Instruction ID: b0143e0c70dd5dbd673250daa0a1fa01ef8cb290fe0ea577da144de5c0d7a2ab
            • Opcode Fuzzy Hash: 52cc7e8cfdd0fdf13cc173b438bb555402b64ba7ef5452181f7b38164a6e582b
            • Instruction Fuzzy Hash: D641B575B40214EFEB10AF64DC96FAEB7A9DB44710F448158FA1ABB3D2DA709D0087B1
            Function 00E355FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Window$EnabledForegroundIconicVisibleZoomed
            • String ID:
            • API String ID: 292994002-0
            • Opcode ID: 8e8c997f1320f05f84894cfb24ab86f61d46a166d5092717b0e851a07426f1a0
            • Instruction ID: 95aa56627ff0e4ba395369fbcc935737267afba16bef0be0decdbf813c0b7a1b
            • Opcode Fuzzy Hash: 8e8c997f1320f05f84894cfb24ab86f61d46a166d5092717b0e851a07426f1a0
            • Instruction Fuzzy Hash: 7311B232700915AFEB211F26DC4EA6BBFA8EF44721F815429F846F7341CB709901CAA5
            Function 00E2C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00DF1D88,?), ref: 00E2C312
            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00E2C324
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetSystemWow64DirectoryW$kernel32.dll
            • API String ID: 2574300362-1816364905
            • Opcode ID: 330ddff1f3a5f5e414453b2b2b81e292fe7f10e3947ee584db8456a51ba7aa30
            • Instruction ID: 74c9476ff9fb26a8b60e75b287d409124798c0538a110129d1a7df88a867acb6
            • Opcode Fuzzy Hash: 330ddff1f3a5f5e414453b2b2b81e292fe7f10e3947ee584db8456a51ba7aa30
            • Instruction Fuzzy Hash: 40E08670600313CFCB209B26E808A4A7AD4EF08758B50987AD485F2210D770D840C660
            Function 00DC3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: __itow__swprintf
            • String ID:
            • API String ID: 674341424-0
            • Opcode ID: fc68cf6bb7380639a8247beeddd491308a8993359ad71ea7feec1cbc78a0107f
            • Instruction ID: aabd6f24841e12f8762735990a09894452f5f9aa0929f9da935db3331e831e84
            • Opcode Fuzzy Hash: fc68cf6bb7380639a8247beeddd491308a8993359ad71ea7feec1cbc78a0107f
            • Instruction Fuzzy Hash: A82289716083429FC724DF24C891BAEB7E4EF84300F14891DF99A97291DB71EA44CBB2
            Function 00E2F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32 ref: 00E2F151
            • Process32FirstW.KERNEL32(00000000,?), ref: 00E2F15F
              • Part of subcall function 00DB7F41: _memmove.LIBCMT ref: 00DB7F82
            • Process32NextW.KERNEL32(00000000,?), ref: 00E2F21F
            • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00E2F22E
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
            • String ID:
            • API String ID: 2576544623-0
            • Opcode ID: 1ca1815888d1660da5cd483122ac4b19c072364fc791a7412762a564bcc6bd34
            • Instruction ID: d3cf3d665c90fbf621787f1dcedd5a8ecaca6ec8f25cf1d8060a20c7b1ba6499
            • Opcode Fuzzy Hash: 1ca1815888d1660da5cd483122ac4b19c072364fc791a7412762a564bcc6bd34
            • Instruction Fuzzy Hash: 88514D71504310DFD310EF24DC95AABBBE8EF95710F50492DF596A7262DB70E908CBA2
            Function 00E140B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00E140D1
            • _memset.LIBCMT ref: 00E140F2
            • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00E14144
            • CloseHandle.KERNEL32(00000000), ref: 00E1414D
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CloseControlCreateDeviceFileHandle_memset
            • String ID:
            • API String ID: 1157408455-0
            • Opcode ID: a3e109db0e8d8262c9b92b99a4fa5c14e48ccec81d78163c8ebf016db3aab03e
            • Instruction ID: 6bda7f6b2a08969b5ef34518d41f8e931ee6796cc1d62532329c7dc7fe063753
            • Opcode Fuzzy Hash: a3e109db0e8d8262c9b92b99a4fa5c14e48ccec81d78163c8ebf016db3aab03e
            • Instruction Fuzzy Hash: 3311EB75D0122C7AD7305BA6AC4DFEBBB7CEF44760F104196F908E7280D6744E848BA4
            Function 00E0EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00E0EB19
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: lstrlen
            • String ID: ($|
            • API String ID: 1659193697-1631851259
            • Opcode ID: 9775a784fc38616d9a30f5f77ce673ca933f656c5996dd2e6f76bea09fefc9ad
            • Instruction ID: f164f229e014a17d62472fbaf8379518ae2bf5e7bb22cdec21eaa28f0b72ba5b
            • Opcode Fuzzy Hash: 9775a784fc38616d9a30f5f77ce673ca933f656c5996dd2e6f76bea09fefc9ad
            • Instruction Fuzzy Hash: 83321675A006059FD728CF19C481A6AB7F1FF48310B15D96EE49AEB7A1D770E981CB40
            Function 00E225E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
            Download Yara Rule
            APIs
            • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00E226D5
            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00E2270C
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Internet$AvailableDataFileQueryRead
            • String ID:
            • API String ID: 599397726-0
            • Opcode ID: a5a49535eb892371220e0686819e53991684513a9ca5623a7aab7352cfcb47e3
            • Instruction ID: 207894921efec803939b6392b2a45c8d9459f99145497db5fc42a32d1c4cd924
            • Opcode Fuzzy Hash: a5a49535eb892371220e0686819e53991684513a9ca5623a7aab7352cfcb47e3
            • Instruction Fuzzy Hash: C641D572904219BFEB20DE55EC85EFBB7BCEB40718F10506FF701B6240EA719E459664
            Function 00E1B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00E1B5AE
            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00E1B608
            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00E1B655
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ErrorMode$DiskFreeSpace
            • String ID:
            • API String ID: 1682464887-0
            • Opcode ID: d0d4f4cfd2a7874433cb71791708283c184f8e3d7c8ae07ab30aab9b11ed235f
            • Instruction ID: 6de3d891cfb1787374f1098e362cae8afca6e6ce9b8d7bb2afbeb200dfba99e9
            • Opcode Fuzzy Hash: d0d4f4cfd2a7874433cb71791708283c184f8e3d7c8ae07ab30aab9b11ed235f
            • Instruction Fuzzy Hash: 6D215175A00118EFCB00EF65D884EEDBBB8FF49310F1480A9E905AB361DB319955CB61
            Function 00E08CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DD0FF6: std::exception::exception.LIBCMT ref: 00DD102C
              • Part of subcall function 00DD0FF6: __CxxThrowException@8.LIBCMT ref: 00DD1041
            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E08D0D
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E08D3A
            • GetLastError.KERNEL32 ref: 00E08D47
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
            • String ID:
            • API String ID: 1922334811-0
            • Opcode ID: f0a6f4323098a128524d0edf973ea2fc4cf5da1dd651f3bfb954fcafbe5a6b95
            • Instruction ID: 27d112195a895328a2d22a21b8ef6ed985285150c26275e3518f136f7ed6d46d
            • Opcode Fuzzy Hash: f0a6f4323098a128524d0edf973ea2fc4cf5da1dd651f3bfb954fcafbe5a6b95
            • Instruction Fuzzy Hash: 251194B1914209AFD728EF64ED85D6BBBBCFF54710B20852EF495A3251DF30AC448A70
            Function 00E14C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
            Download Yara Rule
            APIs
            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00E14C2C
            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00E14C43
            • FreeSid.ADVAPI32(?), ref: 00E14C53
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: AllocateCheckFreeInitializeMembershipToken
            • String ID:
            • API String ID: 3429775523-0
            • Opcode ID: ba9f5691e5ef8f980ab9d132decce3d53c6d7fa3a7bf981663181a1dcc2eb84b
            • Instruction ID: db20aedfebf6f254201157ec7fa2c1d4d7498f4ca3a753f72e2a6f54f8154c20
            • Opcode Fuzzy Hash: ba9f5691e5ef8f980ab9d132decce3d53c6d7fa3a7bf981663181a1dcc2eb84b
            • Instruction Fuzzy Hash: 1FF04975E1130CBFDF04DFF4DD89AAEBBBCEF08201F0044A9E905E2281E6706A488B50
            Function 00E18B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
            Download Yara Rule
            APIs
            • __time64.LIBCMT ref: 00E18B25
              • Part of subcall function 00DD543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00E191F8,00000000,?,?,?,?,00E193A9,00000000,?), ref: 00DD5443
              • Part of subcall function 00DD543A: __aulldiv.LIBCMT ref: 00DD5463
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Time$FileSystem__aulldiv__time64
            • String ID: 0u
            • API String ID: 2893107130-1339160046
            • Opcode ID: 3a6616b50d6dab63d9cf0fc5e2d2ff1ba1dc66dec8f495de52d1d069b503c0b2
            • Instruction ID: 41dbbf61620d4ed43b091ea4a0204ef3bfc20804c98004c57630d87c4e8b58c1
            • Opcode Fuzzy Hash: 3a6616b50d6dab63d9cf0fc5e2d2ff1ba1dc66dec8f495de52d1d069b503c0b2
            • Instruction Fuzzy Hash: 5A21E472639510CFC329CF25D441A92B3E1EFA4311B289E6CD4E9DB2D0CA34B985CB94
            Function 00DBE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 21b1f48cf03f3dce734403fcffdb8808641f52f2cb7123a9dcd5ddde1bc78c7f
            • Instruction ID: 4f1f7f8669b1a2492efd75837a957a5e4a6e1bf00cb1a2853e918351c49434a6
            • Opcode Fuzzy Hash: 21b1f48cf03f3dce734403fcffdb8808641f52f2cb7123a9dcd5ddde1bc78c7f
            • Instruction Fuzzy Hash: 48225A74900219DFDB24DF58C491AEABBF0FF08300F298569E997AB351D734E985CBA1
            Function 00E1C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 00E1C966
            • FindClose.KERNEL32(00000000), ref: 00E1C996
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Find$CloseFileFirst
            • String ID:
            • API String ID: 2295610775-0
            • Opcode ID: 2dd906865070ffaf2cd407c7934af1b59eab47fcb991ee3ce500e22c7d152406
            • Instruction ID: f94eefa8bd8d292a888315bd9d5cbab3aded2ba41b25a4d35c3eabfc2d8dbfb3
            • Opcode Fuzzy Hash: 2dd906865070ffaf2cd407c7934af1b59eab47fcb991ee3ce500e22c7d152406
            • Instruction Fuzzy Hash: E711C8326002049FDB10EF29C855E6AF7E5FF85324F00851EF9A6E72A1DB30AC04CB91
            Function 00E1A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00E2977D,?,00E3FB84,?), ref: 00E1A302
            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00E2977D,?,00E3FB84,?), ref: 00E1A314
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ErrorFormatLastMessage
            • String ID:
            • API String ID: 3479602957-0
            • Opcode ID: a5454bf4f8f9484a8afcacb61cb8ade1c4a5766849519a732554551e67e07cce
            • Instruction ID: b27b3cb16c94e5e2bce750f7cba12e482ffa898ebaf0da40ad80c085be3c90ea
            • Opcode Fuzzy Hash: a5454bf4f8f9484a8afcacb61cb8ade1c4a5766849519a732554551e67e07cce
            • Instruction Fuzzy Hash: 3FF0BE3560522DABDB10AEA4CC48FFE776CEF08761F004165F818A2190D6309944CBB1
            Function 00E08713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
            Download Yara Rule
            APIs
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E08851), ref: 00E08728
            • CloseHandle.KERNEL32(?,?,00E08851), ref: 00E0873A
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: AdjustCloseHandlePrivilegesToken
            • String ID:
            • API String ID: 81990902-0
            • Opcode ID: a07a5d5b84b0a3dbad52e3889a7605521260ceafdbc2676f3c45480e20dca777
            • Instruction ID: 6d524c00f48bd7b9cddd1986155855d8eec75c80bfdcb010cd648ce3eb88f435
            • Opcode Fuzzy Hash: a07a5d5b84b0a3dbad52e3889a7605521260ceafdbc2676f3c45480e20dca777
            • Instruction Fuzzy Hash: 62E0B676010610EFE7253B65FD09D777BA9EB04355B24882AF49690470DB62AC94DB20
            Function 00DDA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00DD8F97,?,?,?,00000001), ref: 00DDA39A
            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00DDA3A3
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 0eb0746b939d59aeedf565d32440053b35c0eb4a0b298a62c7f324eed1475b48
            • Instruction ID: f42cc8ec042260f591367339f9d523db20d354d0f2eb9090a102c65dee20de75
            • Opcode Fuzzy Hash: 0eb0746b939d59aeedf565d32440053b35c0eb4a0b298a62c7f324eed1475b48
            • Instruction Fuzzy Hash: 44B0923145420CAFCA002B92EC0DB8A3F68EB45AA2F404020F60D95060CB6254548A91
            Function 00DDF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d1796a7e423208de68f684808a33f1bac30fd1b20aa8cbdd8930e60954edbe1e
            • Instruction ID: 450391a1628fa8b8bfefb1651cdd55e9ceef710851c97b0a76bd14e59820f2c6
            • Opcode Fuzzy Hash: d1796a7e423208de68f684808a33f1bac30fd1b20aa8cbdd8930e60954edbe1e
            • Instruction Fuzzy Hash: CA323826D29F414DD7239639D8723356289EFB73C4F15D737F85AB5AA6DB28C4830140
            Function 00DE267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d08623c682a344198be183996909da24b98229fbf1eb98ab5f5985a8520fcf8d
            • Instruction ID: 9c5d804235a12269a481a47a1d14aac39a9d0cb9bcef242eda6e3a97a3c28e37
            • Opcode Fuzzy Hash: d08623c682a344198be183996909da24b98229fbf1eb98ab5f5985a8520fcf8d
            • Instruction Fuzzy Hash: 5EB1F224D6AF414DD323AA3A883133AB64CAFBB2D5F55D72BFC2670D22FB2185874141
            Function 00E241FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
            Download Yara Rule
            APIs
            • BlockInput.USER32(00000001), ref: 00E24218
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: BlockInput
            • String ID:
            • API String ID: 3456056419-0
            • Opcode ID: cca0bd50dd402b8ecc97542d2895901613a3965f24c9ded37012b1682dc1fb5f
            • Instruction ID: 156af05a3094cc1a79c2abff1ce57e07b9fe40987008b0e35f515bffe0632249
            • Opcode Fuzzy Hash: cca0bd50dd402b8ecc97542d2895901613a3965f24c9ded37012b1682dc1fb5f
            • Instruction Fuzzy Hash: 73E04872240154DFC710DF5AE445A9AFBD8EF54760F048015FD4AD7362DA70E8408BB0
            Function 00E14EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00E14F18
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: mouse_event
            • String ID:
            • API String ID: 2434400541-0
            • Opcode ID: 2e49ed6160ae5c034005ce17e365a7674bdebe3ca126c84b9ea1e88522bb69b9
            • Instruction ID: 7a7a84bd2c8c280481d49272dc2d7dae6cf20636d2e7773f890ac2d53a57da6c
            • Opcode Fuzzy Hash: 2e49ed6160ae5c034005ce17e365a7674bdebe3ca126c84b9ea1e88522bb69b9
            • Instruction Fuzzy Hash: 14D05EF03642093CFC184B20AC0FFFB010AE348B95F9479897201BA7C198E16CC6A035
            Function 00E08C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
            Download Yara Rule
            APIs
            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00E088D1), ref: 00E08CB3
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: LogonUser
            • String ID:
            • API String ID: 1244722697-0
            • Opcode ID: e9e2330a16d6fdd69641bbaa26b3050109e031bd68ba54ef7f6b03661b2eb552
            • Instruction ID: 631bae2a241bc307e80dff3139ae9b471ba56d3d7971140c1a8585b00761d241
            • Opcode Fuzzy Hash: e9e2330a16d6fdd69641bbaa26b3050109e031bd68ba54ef7f6b03661b2eb552
            • Instruction Fuzzy Hash: 18D05E3226450EAFEF018EA8DC05EAE3B69EB04B01F408111FE15D50A1C775D835AF60
            Function 00DF2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
            Download Yara Rule
            APIs
            • GetUserNameW.ADVAPI32(?,?), ref: 00DF2242
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: NameUser
            • String ID:
            • API String ID: 2645101109-0
            • Opcode ID: f5c5cb85475067d505becff71c76a17e75563a85743ef2a7c624231637539972
            • Instruction ID: baf2d9ef76d34496470444b5bff921bcdc38978b8c90b811134780958ad50f9f
            • Opcode Fuzzy Hash: f5c5cb85475067d505becff71c76a17e75563a85743ef2a7c624231637539972
            • Instruction Fuzzy Hash: BDC04CF5C0410DDBDB05DB90D988DFE77BCAB05304F104055E541F2100D7749B488E71
            Function 00DDA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00DDA36A
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 4df796e5a379344f992edde1fa41f3d555d3ee547b9b6d9b75ba567db9e1301d
            • Instruction ID: f5c16491fc8689bbcd2ca357b70ccc2aa81bb07555354b69332c4b6425f84ffa
            • Opcode Fuzzy Hash: 4df796e5a379344f992edde1fa41f3d555d3ee547b9b6d9b75ba567db9e1301d
            • Instruction Fuzzy Hash: F8A0113000020CAB8A002B82EC0888ABFACEB022A0B008020F80C820228B32A8208A80
            Function 00DC8A0E Relevance: .6, Instructions: 608COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e18375cb9be3445f8a0829d383013b64cbbd8ae08cc26b3a8760dc66a2587f57
            • Instruction ID: 66ccdadb9010936818d28746eeb6b19002e12b210ad0560120c730c22469374f
            • Opcode Fuzzy Hash: e18375cb9be3445f8a0829d383013b64cbbd8ae08cc26b3a8760dc66a2587f57
            • Instruction Fuzzy Hash: E822F3319016278BDF288B18D5D4F7E77A1EB41344F68846ED892AB2D1DB349DC1EB70
            Function 00DD2405 Relevance: .3, Instructions: 345COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
            • Instruction ID: 2c27766f555632c968013d2b7cbd2dd4384f9f8c179a3db834ba9796f723bfd7
            • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
            • Instruction Fuzzy Hash: D5C1713720519309DB2D4639987453EBAE19EB27B131E0B5FE8B2CB6C4EF20D524E630
            Function 00DD283A Relevance: .3, Instructions: 341COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
            • Instruction ID: 9e84b2ac6ded39aa8e59d1c078bfb874bb2a0034beeb3558ce6a3155c90c4e9b
            • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
            • Instruction Fuzzy Hash: A1C1843720519309DB2D4639987413EBBE19EA27B131E1B6FE4B2DB6D4EF20D524E630
            Function 00DD1BB8 Relevance: .3, Instructions: 323COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
            • Instruction ID: 477061f03665faa611784b936f6f3732432d34c10cdb101069304b0d6626ec27
            • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
            • Instruction Fuzzy Hash: ECC1623B20515319DB2D463A987413EBBE2DEA27B131E0B5EE4B2CB6D4EF20D5249630
            Function 00E337F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?,00E3F910), ref: 00E338AF
            • IsWindowVisible.USER32(?), ref: 00E338D3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: BuffCharUpperVisibleWindow
            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
            • API String ID: 4105515805-45149045
            • Opcode ID: ffde6527060519ba93a38bc59be60d31183e601d9a9c06b5e3fbc736e9296030
            • Instruction ID: 084d8cc1b191ffe58e369867ff74d69e4deb813dcfe4460631334ecf6deca5f1
            • Opcode Fuzzy Hash: ffde6527060519ba93a38bc59be60d31183e601d9a9c06b5e3fbc736e9296030
            • Instruction Fuzzy Hash: C2D12330204205DBCB14EF30C455EA9BFA6EF94354F146459B8867B7E3DB21EE4ACB61
            Function 00E3A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
            Download Yara Rule
            APIs
            • SetTextColor.GDI32(?,00000000), ref: 00E3A89F
            • GetSysColorBrush.USER32(0000000F), ref: 00E3A8D0
            • GetSysColor.USER32(0000000F), ref: 00E3A8DC
            • SetBkColor.GDI32(?,000000FF), ref: 00E3A8F6
            • SelectObject.GDI32(?,?), ref: 00E3A905
            • InflateRect.USER32(?,000000FF,000000FF), ref: 00E3A930
            • GetSysColor.USER32(00000010), ref: 00E3A938
            • CreateSolidBrush.GDI32(00000000), ref: 00E3A93F
            • FrameRect.USER32(?,?,00000000), ref: 00E3A94E
            • DeleteObject.GDI32(00000000), ref: 00E3A955
            • InflateRect.USER32(?,000000FE,000000FE), ref: 00E3A9A0
            • FillRect.USER32(?,?,?), ref: 00E3A9D2
            • GetWindowLongW.USER32(?,000000F0), ref: 00E3A9FD
              • Part of subcall function 00E3AB60: GetSysColor.USER32(00000012), ref: 00E3AB99
              • Part of subcall function 00E3AB60: SetTextColor.GDI32(?,?), ref: 00E3AB9D
              • Part of subcall function 00E3AB60: GetSysColorBrush.USER32(0000000F), ref: 00E3ABB3
              • Part of subcall function 00E3AB60: GetSysColor.USER32(0000000F), ref: 00E3ABBE
              • Part of subcall function 00E3AB60: GetSysColor.USER32(00000011), ref: 00E3ABDB
              • Part of subcall function 00E3AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E3ABE9
              • Part of subcall function 00E3AB60: SelectObject.GDI32(?,00000000), ref: 00E3ABFA
              • Part of subcall function 00E3AB60: SetBkColor.GDI32(?,00000000), ref: 00E3AC03
              • Part of subcall function 00E3AB60: SelectObject.GDI32(?,?), ref: 00E3AC10
              • Part of subcall function 00E3AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00E3AC2F
              • Part of subcall function 00E3AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E3AC46
              • Part of subcall function 00E3AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00E3AC5B
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
            • String ID:
            • API String ID: 4124339563-0
            • Opcode ID: 61092b8810a359abbfa6c8b5c3e7cfd945f060e78262b22e129f92bf19efd87b
            • Instruction ID: 17dda948f039036b6ecc08b8b357bbd377205781af8d9bedafc5e8548691cf53
            • Opcode Fuzzy Hash: 61092b8810a359abbfa6c8b5c3e7cfd945f060e78262b22e129f92bf19efd87b
            • Instruction Fuzzy Hash: 91A19E72408305BFD7109F65DC0CE6BBFA9FF88325F145A29F9A2A61A1D731D848CB52
            Function 00E277BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(00000000), ref: 00E277F1
            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00E278B0
            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00E278EE
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00E27900
            • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00E27946
            • GetClientRect.USER32(00000000,?), ref: 00E27952
            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00E27996
            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00E279A5
            • GetStockObject.GDI32(00000011), ref: 00E279B5
            • SelectObject.GDI32(00000000,00000000), ref: 00E279B9
            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00E279C9
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E279D2
            • DeleteDC.GDI32(00000000), ref: 00E279DB
            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00E27A07
            • SendMessageW.USER32(00000030,00000000,00000001), ref: 00E27A1E
            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00E27A59
            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00E27A6D
            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00E27A7E
            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00E27AAE
            • GetStockObject.GDI32(00000011), ref: 00E27AB9
            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00E27AC4
            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00E27ACE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
            • API String ID: 2910397461-517079104
            • Opcode ID: 2192159897ed476fb31135a39b0eef7f63744d8811c33ef2795a52b45d287f24
            • Instruction ID: 705d35456143e69b10fa9944bf84491fab96feb2c9faecc973393b06c3091595
            • Opcode Fuzzy Hash: 2192159897ed476fb31135a39b0eef7f63744d8811c33ef2795a52b45d287f24
            • Instruction Fuzzy Hash: B1A19FB1A40619BFEB14DBA5DC4AFAEBBB9EB44714F004114FA15B72E1CB70AD04CB60
            Function 00E1AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00E1AF89
            • GetDriveTypeW.KERNEL32(?,00E3FAC0,?,\\.\,00E3F910), ref: 00E1B066
            • SetErrorMode.KERNEL32(00000000,00E3FAC0,?,\\.\,00E3F910), ref: 00E1B1C4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ErrorMode$DriveType
            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
            • API String ID: 2907320926-4222207086
            • Opcode ID: ef8fe4b908a08f7f8250a7940cd45212e7924fac677e82545a26aace55100db7
            • Instruction ID: b8b4ae1ef3dd61aa8fb1ac9f478519d2150010c162372698dd1634af35db099b
            • Opcode Fuzzy Hash: ef8fe4b908a08f7f8250a7940cd45212e7924fac677e82545a26aace55100db7
            • Instruction Fuzzy Hash: 2251A130B85345FB8B00DB20D9A29FD73B0EB583857296026E80BB7291C775AD81DF52
            Function 00DB6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
            • API String ID: 1038674560-86951937
            • Opcode ID: 2b2246ffa68637f4c8b00cc0dfbfb0521114a97c599dec6e5adfcad445795b05
            • Instruction ID: 5b0f2808bbfed80aca10e201b72abb82ad1f126a1c06a46d50431e7a3b94f7e5
            • Opcode Fuzzy Hash: 2b2246ffa68637f4c8b00cc0dfbfb0521114a97c599dec6e5adfcad445795b05
            • Instruction Fuzzy Hash: C6810870740345FBCB20BB61DC83FEE7768EF15700F085026F946AA296EB64EA45C675
            Function 00E3AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000012), ref: 00E3AB99
            • SetTextColor.GDI32(?,?), ref: 00E3AB9D
            • GetSysColorBrush.USER32(0000000F), ref: 00E3ABB3
            • GetSysColor.USER32(0000000F), ref: 00E3ABBE
            • CreateSolidBrush.GDI32(?), ref: 00E3ABC3
            • GetSysColor.USER32(00000011), ref: 00E3ABDB
            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E3ABE9
            • SelectObject.GDI32(?,00000000), ref: 00E3ABFA
            • SetBkColor.GDI32(?,00000000), ref: 00E3AC03
            • SelectObject.GDI32(?,?), ref: 00E3AC10
            • InflateRect.USER32(?,000000FF,000000FF), ref: 00E3AC2F
            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E3AC46
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00E3AC5B
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E3ACA7
            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00E3ACCE
            • InflateRect.USER32(?,000000FD,000000FD), ref: 00E3ACEC
            • DrawFocusRect.USER32(?,?), ref: 00E3ACF7
            • GetSysColor.USER32(00000011), ref: 00E3AD05
            • SetTextColor.GDI32(?,00000000), ref: 00E3AD0D
            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00E3AD21
            • SelectObject.GDI32(?,00E3A869), ref: 00E3AD38
            • DeleteObject.GDI32(?), ref: 00E3AD43
            • SelectObject.GDI32(?,?), ref: 00E3AD49
            • DeleteObject.GDI32(?), ref: 00E3AD4E
            • SetTextColor.GDI32(?,?), ref: 00E3AD54
            • SetBkColor.GDI32(?,?), ref: 00E3AD5E
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
            • String ID:
            • API String ID: 1996641542-0
            • Opcode ID: 58a9db8a65c4440c4f656f7c9ed1838697925a5126a51470fb7bd321ec5993e8
            • Instruction ID: 70776c46530003379cae86b9564c3c4633d514380e9738255d532b193428252b
            • Opcode Fuzzy Hash: 58a9db8a65c4440c4f656f7c9ed1838697925a5126a51470fb7bd321ec5993e8
            • Instruction Fuzzy Hash: 71614971D01218BFDB119FA9DC4CEAEBFB9EB08320F148126F915BB2A1D6719D44DB90
            Function 00E38C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00E38D34
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E38D45
            • CharNextW.USER32(0000014E), ref: 00E38D74
            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00E38DB5
            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00E38DCB
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E38DDC
            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00E38DF9
            • SetWindowTextW.USER32(?,0000014E), ref: 00E38E45
            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00E38E5B
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E38E8C
            • _memset.LIBCMT ref: 00E38EB1
            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00E38EFA
            • _memset.LIBCMT ref: 00E38F59
            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00E38F83
            • SendMessageW.USER32(?,00001074,?,00000001), ref: 00E38FDB
            • SendMessageW.USER32(?,0000133D,?,?), ref: 00E39088
            • InvalidateRect.USER32(?,00000000,00000001), ref: 00E390AA
            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E390F4
            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E39121
            • DrawMenuBar.USER32(?), ref: 00E39130
            • SetWindowTextW.USER32(?,0000014E), ref: 00E39158
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
            • String ID: 0
            • API String ID: 1073566785-4108050209
            • Opcode ID: 5e13a6770c788b13fca39ace8435337de5bf999758f2ee637e7356e60f83a535
            • Instruction ID: 0e721643abf7da0ed39dac34e206c16aee98423531a58078ac8a8d3f12aa9239
            • Opcode Fuzzy Hash: 5e13a6770c788b13fca39ace8435337de5bf999758f2ee637e7356e60f83a535
            • Instruction Fuzzy Hash: BFE19E70901209AFDB209F61CC8DEEEBFB9EF05714F009156F919BA291DB708A85DF61
            Function 00E34B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 00E34C51
            • GetDesktopWindow.USER32 ref: 00E34C66
            • GetWindowRect.USER32(00000000), ref: 00E34C6D
            • GetWindowLongW.USER32(?,000000F0), ref: 00E34CCF
            • DestroyWindow.USER32(?), ref: 00E34CFB
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E34D24
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E34D42
            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00E34D68
            • SendMessageW.USER32(?,00000421,?,?), ref: 00E34D7D
            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00E34D90
            • IsWindowVisible.USER32(?), ref: 00E34DB0
            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00E34DCB
            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00E34DDF
            • GetWindowRect.USER32(?,?), ref: 00E34DF7
            • MonitorFromPoint.USER32(?,?,00000002), ref: 00E34E1D
            • GetMonitorInfoW.USER32(00000000,?), ref: 00E34E37
            • CopyRect.USER32(?,?), ref: 00E34E4E
            • SendMessageW.USER32(?,00000412,00000000), ref: 00E34EB9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
            • String ID: ($0$tooltips_class32
            • API String ID: 698492251-4156429822
            • Opcode ID: 17c90175660c85525fd4d4399efb5ab85c7c0714a9bfd941ceafcc9faffaf519
            • Instruction ID: d365e692b0aea073dc5a1d712598866eb57715695afd5c62cc3e57789d7e93fa
            • Opcode Fuzzy Hash: 17c90175660c85525fd4d4399efb5ab85c7c0714a9bfd941ceafcc9faffaf519
            • Instruction Fuzzy Hash: 02B147B1604341AFDB04DF25C849B6ABFE4FF88714F00991DF59AAB2A1D771E805CBA1
            Function 00E146D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
            Download Yara Rule
            APIs
            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00E146E8
            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00E1470E
            • _wcscpy.LIBCMT ref: 00E1473C
            • _wcscmp.LIBCMT ref: 00E14747
            • _wcscat.LIBCMT ref: 00E1475D
            • _wcsstr.LIBCMT ref: 00E14768
            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00E14784
            • _wcscat.LIBCMT ref: 00E147CD
            • _wcscat.LIBCMT ref: 00E147D4
            • _wcsncpy.LIBCMT ref: 00E147FF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
            • API String ID: 699586101-1459072770
            • Opcode ID: 76a0516fcf07fffa983a939818a4af1469040a9f6bb477923884021f90058f3d
            • Instruction ID: fabcd5cd931e294f7ffa98e8cff734eb3f33ba36eeae4fcdc949fb35a5de830b
            • Opcode Fuzzy Hash: 76a0516fcf07fffa983a939818a4af1469040a9f6bb477923884021f90058f3d
            • Instruction Fuzzy Hash: FD41EF72A003057ADB14AB759C46EBF7BACDF41710F04006BF905B6292EB61AA41A6B5
            Function 00DB27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
            Download Yara Rule
            APIs
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DB28BC
            • GetSystemMetrics.USER32(00000007), ref: 00DB28C4
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DB28EF
            • GetSystemMetrics.USER32(00000008), ref: 00DB28F7
            • GetSystemMetrics.USER32(00000004), ref: 00DB291C
            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00DB2939
            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00DB2949
            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00DB297C
            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00DB2990
            • GetClientRect.USER32(00000000,000000FF), ref: 00DB29AE
            • GetStockObject.GDI32(00000011), ref: 00DB29CA
            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00DB29D5
              • Part of subcall function 00DB2344: GetCursorPos.USER32(?), ref: 00DB2357
              • Part of subcall function 00DB2344: ScreenToClient.USER32(00E767B0,?), ref: 00DB2374
              • Part of subcall function 00DB2344: GetAsyncKeyState.USER32(00000001), ref: 00DB2399
              • Part of subcall function 00DB2344: GetAsyncKeyState.USER32(00000002), ref: 00DB23A7
            • SetTimer.USER32(00000000,00000000,00000028,00DB1256), ref: 00DB29FC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
            • String ID: AutoIt v3 GUI
            • API String ID: 1458621304-248962490
            • Opcode ID: 5b457e3b665ac3bd5ce4b29566ecf9392a0d90a30a1fa331807df137feeae8e4
            • Instruction ID: 4903a70fcb10e1675ec4e0bf7a9b103ec1c96efc468ddda1a9a87c93a5758eaa
            • Opcode Fuzzy Hash: 5b457e3b665ac3bd5ce4b29566ecf9392a0d90a30a1fa331807df137feeae8e4
            • Instruction Fuzzy Hash: 70B16071A00249EFDB14DF69DC49BEE7BB4FB08315F108129FA16A72A0DB74D845CB60
            Function 00E34069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 00E340F6
            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00E341B6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: BuffCharMessageSendUpper
            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
            • API String ID: 3974292440-719923060
            • Opcode ID: 838c791dda965eabd302e8bcb5ba190e242f0e657a78c9d12c8d9607cf13eaa4
            • Instruction ID: 457e336ee0d8844b6a008bc0a9491669f4b7932c286794556162aa438ed66559
            • Opcode Fuzzy Hash: 838c791dda965eabd302e8bcb5ba190e242f0e657a78c9d12c8d9607cf13eaa4
            • Instruction Fuzzy Hash: 61A1AF70214241DBCB14EF20C856EAABBE5EF84314F105869B896BB7E2DB30FC05CB61
            Function 00E252F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
            Download Yara Rule
            APIs
            • LoadCursorW.USER32(00000000,00007F89), ref: 00E25309
            • LoadCursorW.USER32(00000000,00007F8A), ref: 00E25314
            • LoadCursorW.USER32(00000000,00007F00), ref: 00E2531F
            • LoadCursorW.USER32(00000000,00007F03), ref: 00E2532A
            • LoadCursorW.USER32(00000000,00007F8B), ref: 00E25335
            • LoadCursorW.USER32(00000000,00007F01), ref: 00E25340
            • LoadCursorW.USER32(00000000,00007F81), ref: 00E2534B
            • LoadCursorW.USER32(00000000,00007F88), ref: 00E25356
            • LoadCursorW.USER32(00000000,00007F80), ref: 00E25361
            • LoadCursorW.USER32(00000000,00007F86), ref: 00E2536C
            • LoadCursorW.USER32(00000000,00007F83), ref: 00E25377
            • LoadCursorW.USER32(00000000,00007F85), ref: 00E25382
            • LoadCursorW.USER32(00000000,00007F82), ref: 00E2538D
            • LoadCursorW.USER32(00000000,00007F84), ref: 00E25398
            • LoadCursorW.USER32(00000000,00007F04), ref: 00E253A3
            • LoadCursorW.USER32(00000000,00007F02), ref: 00E253AE
            • GetCursorInfo.USER32(?), ref: 00E253BE
            • GetLastError.KERNEL32(00000001,00000000), ref: 00E253E9
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Cursor$Load$ErrorInfoLast
            • String ID:
            • API String ID: 3215588206-0
            • Opcode ID: e7e79b404f4ce90f7bb672ef6091f04a6dc6efb1719ff6994c0513c559aac577
            • Instruction ID: 2492aec7d325336b918e99c1327edd0fcb109b0d1e94873b26229751399379c9
            • Opcode Fuzzy Hash: e7e79b404f4ce90f7bb672ef6091f04a6dc6efb1719ff6994c0513c559aac577
            • Instruction Fuzzy Hash: 13417370E043296ADB10AFBA9C4996EFFF8EF51B10B10452FE519E7290DAB895008E61
            Function 00E0AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(?,?,00000100), ref: 00E0AAA5
            • __swprintf.LIBCMT ref: 00E0AB46
            • _wcscmp.LIBCMT ref: 00E0AB59
            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00E0ABAE
            • _wcscmp.LIBCMT ref: 00E0ABEA
            • GetClassNameW.USER32(?,?,00000400), ref: 00E0AC21
            • GetDlgCtrlID.USER32(?), ref: 00E0AC73
            • GetWindowRect.USER32(?,?), ref: 00E0ACA9
            • GetParent.USER32(?), ref: 00E0ACC7
            • ScreenToClient.USER32(00000000), ref: 00E0ACCE
            • GetClassNameW.USER32(?,?,00000100), ref: 00E0AD48
            • _wcscmp.LIBCMT ref: 00E0AD5C
            • GetWindowTextW.USER32(?,?,00000400), ref: 00E0AD82
            • _wcscmp.LIBCMT ref: 00E0AD96
              • Part of subcall function 00DD386C: _iswctype.LIBCMT ref: 00DD3874
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
            • String ID: %s%u
            • API String ID: 3744389584-679674701
            • Opcode ID: 08cf4cfeecc55858c0312874b6cddf37c8271244ecb7441239939b485992247e
            • Instruction ID: 96efdddf70ccd083492045f0226a084857f5871c6dce7ffe6c1164203f1147c9
            • Opcode Fuzzy Hash: 08cf4cfeecc55858c0312874b6cddf37c8271244ecb7441239939b485992247e
            • Instruction Fuzzy Hash: 53A1B07120470AAFD714DF20C884BEAF7E8FF04319F085639F999A2190D730E985CBA2
            Function 00E0B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(00000008,?,00000400), ref: 00E0B3DB
            • _wcscmp.LIBCMT ref: 00E0B3EC
            • GetWindowTextW.USER32(00000001,?,00000400), ref: 00E0B414
            • CharUpperBuffW.USER32(?,00000000), ref: 00E0B431
            • _wcscmp.LIBCMT ref: 00E0B44F
            • _wcsstr.LIBCMT ref: 00E0B460
            • GetClassNameW.USER32(00000018,?,00000400), ref: 00E0B498
            • _wcscmp.LIBCMT ref: 00E0B4A8
            • GetWindowTextW.USER32(00000002,?,00000400), ref: 00E0B4CF
            • GetClassNameW.USER32(00000018,?,00000400), ref: 00E0B518
            • _wcscmp.LIBCMT ref: 00E0B528
            • GetClassNameW.USER32(00000010,?,00000400), ref: 00E0B550
            • GetWindowRect.USER32(00000004,?), ref: 00E0B5B9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
            • String ID: @$ThumbnailClass
            • API String ID: 1788623398-1539354611
            • Opcode ID: 01e408d3420a185521c3f2353530069c7f4039f386a4bd58413eadfabc345053
            • Instruction ID: ae78b09516db8263faf6d558e35998e66e6927c557d44af5d170f426d465db7a
            • Opcode Fuzzy Hash: 01e408d3420a185521c3f2353530069c7f4039f386a4bd58413eadfabc345053
            • Instruction Fuzzy Hash: B2819E710042059FDB14DF10D885FAA7BE8FF44718F0495AAFD85AA1D2EB34DE89CBA1
            Function 00E3C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB2612: GetWindowLongW.USER32(?,000000EB), ref: 00DB2623
            • DragQueryPoint.SHELL32(?,?), ref: 00E3C917
              • Part of subcall function 00E3ADF1: ClientToScreen.USER32(?,?), ref: 00E3AE1A
              • Part of subcall function 00E3ADF1: GetWindowRect.USER32(?,?), ref: 00E3AE90
              • Part of subcall function 00E3ADF1: PtInRect.USER32(?,?,00E3C304), ref: 00E3AEA0
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00E3C980
            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E3C98B
            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E3C9AE
            • _wcscat.LIBCMT ref: 00E3C9DE
            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E3C9F5
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00E3CA0E
            • SendMessageW.USER32(?,000000B1,?,?), ref: 00E3CA25
            • SendMessageW.USER32(?,000000B1,?,?), ref: 00E3CA47
            • DragFinish.SHELL32(?), ref: 00E3CA4E
            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00E3CB41
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr
            • API String ID: 169749273-2073472848
            • Opcode ID: 6c07c05de770804c9e3a3511ddadb10cd1143365ae4760dc929474fccc342160
            • Instruction ID: 1e467b1b7d19ef2c375bb542bada20ee2e34c63a1e17ff4329d8a15f6f410861
            • Opcode Fuzzy Hash: 6c07c05de770804c9e3a3511ddadb10cd1143365ae4760dc929474fccc342160
            • Instruction Fuzzy Hash: 71615D71508304AFC701EF61DC89DAFBFE8EF89754F00092DF596A61A1DB709A49CB62
            Function 00E0B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
            • API String ID: 1038674560-1810252412
            • Opcode ID: 19e0fca5db65d92eeb972967f1ba8396193344c41c34c82ff7eaddf219263858
            • Instruction ID: f1d11247428033b4b80cc29ce45a638f975b26c92b8751f23da6598cf60edb4f
            • Opcode Fuzzy Hash: 19e0fca5db65d92eeb972967f1ba8396193344c41c34c82ff7eaddf219263858
            • Instruction Fuzzy Hash: 7A314131A84306E6DB14FA60DD43EEE77A8EF24790F60152AF452720E6EF71AE44C571
            Function 00E0C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000063), ref: 00E0C4D4
            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00E0C4E6
            • SetWindowTextW.USER32(?,?), ref: 00E0C4FD
            • GetDlgItem.USER32(?,000003EA), ref: 00E0C512
            • SetWindowTextW.USER32(00000000,?), ref: 00E0C518
            • GetDlgItem.USER32(?,000003E9), ref: 00E0C528
            • SetWindowTextW.USER32(00000000,?), ref: 00E0C52E
            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00E0C54F
            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00E0C569
            • GetWindowRect.USER32(?,?), ref: 00E0C572
            • SetWindowTextW.USER32(?,?), ref: 00E0C5DD
            • GetDesktopWindow.USER32 ref: 00E0C5E3
            • GetWindowRect.USER32(00000000), ref: 00E0C5EA
            • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00E0C636
            • GetClientRect.USER32(?,?), ref: 00E0C643
            • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00E0C668
            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00E0C693
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
            • String ID:
            • API String ID: 3869813825-0
            • Opcode ID: cf24f3e139e2e5d4879fc74ba815d4ea51409d35e9c4f8c7bca78511eb56d421
            • Instruction ID: 6e4cf0ecf04e89c8b524d6032b33c4e64c2766fb69118702a2cf7025ac7116df
            • Opcode Fuzzy Hash: cf24f3e139e2e5d4879fc74ba815d4ea51409d35e9c4f8c7bca78511eb56d421
            • Instruction Fuzzy Hash: FA515070900709AFDB20DFA9DD89B6EBBF5FF04705F104629E686B25E0C775A944CB50
            Function 00E3A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00E3A4C8
            • DestroyWindow.USER32(?,?), ref: 00E3A542
              • Part of subcall function 00DB7D2C: _memmove.LIBCMT ref: 00DB7D66
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00E3A5BC
            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00E3A5DE
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E3A5F1
            • DestroyWindow.USER32(00000000), ref: 00E3A613
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00DB0000,00000000), ref: 00E3A64A
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E3A663
            • GetDesktopWindow.USER32 ref: 00E3A67C
            • GetWindowRect.USER32(00000000), ref: 00E3A683
            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E3A69B
            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00E3A6B3
              • Part of subcall function 00DB25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DB25EC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
            • String ID: 0$tooltips_class32
            • API String ID: 1297703922-3619404913
            • Opcode ID: 0b5a83cf3f8577d5a4d54bb421d52844d85bc8482762cb6cd43d0da11507e09a
            • Instruction ID: 47b3bae95daa379edef748c47923e526093b6edff5b7afb29efeb7bba92b9e56
            • Opcode Fuzzy Hash: 0b5a83cf3f8577d5a4d54bb421d52844d85bc8482762cb6cd43d0da11507e09a
            • Instruction Fuzzy Hash: C671A171540205AFD724CF29CC4AF667FE5FB88308F08452DF985A72A0D770E985CB62
            Function 00E34619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 00E346AB
            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E346F6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: BuffCharMessageSendUpper
            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
            • API String ID: 3974292440-4258414348
            • Opcode ID: 2081b52e9524f678d18939098c3768479168d50e9ce8b80c5cee2c29ab4ff5bc
            • Instruction ID: 25b932c56f3ca5ef294f435985786bcc33bc99e4da24f7f1acc857f1d8ea7535
            • Opcode Fuzzy Hash: 2081b52e9524f678d18939098c3768479168d50e9ce8b80c5cee2c29ab4ff5bc
            • Instruction Fuzzy Hash: D3916E742043019BCB14EF20C455AAABBE2EF95354F04646DF8966B7E2CB30FD46CB61
            Function 00E3BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
            Download Yara Rule
            APIs
            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00E3BB6E
            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00E39431), ref: 00E3BBCA
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E3BC03
            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00E3BC46
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E3BC7D
            • FreeLibrary.KERNEL32(?), ref: 00E3BC89
            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E3BC99
            • DestroyIcon.USER32(?,?,?,?,?,00E39431), ref: 00E3BCA8
            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00E3BCC5
            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00E3BCD1
              • Part of subcall function 00DD313D: __wcsicmp_l.LIBCMT ref: 00DD31C6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
            • String ID: .dll$.exe$.icl
            • API String ID: 1212759294-1154884017
            • Opcode ID: 24aada26336b99cf080bb15ee4474d5be8e204ada0cf6cc38e0c29eec76599d0
            • Instruction ID: a46c31fd6bb4da2705cb3172d0402d3cce24734800133bfeeacd2a8c21340099
            • Opcode Fuzzy Hash: 24aada26336b99cf080bb15ee4474d5be8e204ada0cf6cc38e0c29eec76599d0
            • Instruction Fuzzy Hash: 9661E371900219FEEB24DF65CC49FBABBA8EB08710F105116FA16E61D0DB71A984CBB0
            Function 00E1A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000066,?,00000FFF,00E3FB78), ref: 00E1A0FC
              • Part of subcall function 00DB7F41: _memmove.LIBCMT ref: 00DB7F82
            • LoadStringW.USER32(?,?,00000FFF,?), ref: 00E1A11E
            • __swprintf.LIBCMT ref: 00E1A177
            • __swprintf.LIBCMT ref: 00E1A190
            • _wprintf.LIBCMT ref: 00E1A246
            • _wprintf.LIBCMT ref: 00E1A264
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: LoadString__swprintf_wprintf$_memmove
            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%
            • API String ID: 311963372-1048875529
            • Opcode ID: 65cb3f58faf817da631cdedb5e7118da3cced9a975a96507a334a0c236fa00c8
            • Instruction ID: 11d36d1632bba639c17ab088e7848f4eb65c7ca449b2e577d59c2c757751d365
            • Opcode Fuzzy Hash: 65cb3f58faf817da631cdedb5e7118da3cced9a975a96507a334a0c236fa00c8
            • Instruction Fuzzy Hash: 6151397190120AABCF15EBA0DD86EEEB7B9EF04304F140165F516721A2EB316E98DB71
            Function 00E1A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB9997: __itow.LIBCMT ref: 00DB99C2
              • Part of subcall function 00DB9997: __swprintf.LIBCMT ref: 00DB9A0C
            • CharLowerBuffW.USER32(?,?), ref: 00E1A636
            • GetDriveTypeW.KERNEL32 ref: 00E1A683
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E1A6CB
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E1A702
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E1A730
              • Part of subcall function 00DB7D2C: _memmove.LIBCMT ref: 00DB7D66
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
            • API String ID: 2698844021-4113822522
            • Opcode ID: fbf370e20f8ae72da76aee5d7fcf97785405e17445c36b662fc635c41af2f001
            • Instruction ID: 29a77e77803ca50b3c23f200fdf7dd9c4089ff7691d54217ade0d9b227e5200a
            • Opcode Fuzzy Hash: fbf370e20f8ae72da76aee5d7fcf97785405e17445c36b662fc635c41af2f001
            • Instruction Fuzzy Hash: 80514A71504305DFC700EF20D8919AAB7F8EF94758F08596DF896672A1DB31AE0ACB62
            Function 00E1A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
            Download Yara Rule
            APIs
            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E1A47A
            • __swprintf.LIBCMT ref: 00E1A49C
            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00E1A4D9
            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00E1A4FE
            • _memset.LIBCMT ref: 00E1A51D
            • _wcsncpy.LIBCMT ref: 00E1A559
            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00E1A58E
            • CloseHandle.KERNEL32(00000000), ref: 00E1A599
            • RemoveDirectoryW.KERNEL32(?), ref: 00E1A5A2
            • CloseHandle.KERNEL32(00000000), ref: 00E1A5AC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
            • String ID: :$\$\??\%s
            • API String ID: 2733774712-3457252023
            • Opcode ID: 84c713ed64ffad65dffb4a2075d6babc32e115b691a6d48704528f03546456de
            • Instruction ID: 20a4494fb18aca24f336f0413f922954910e22ae1c2e672729789ad9bc616a2e
            • Opcode Fuzzy Hash: 84c713ed64ffad65dffb4a2075d6babc32e115b691a6d48704528f03546456de
            • Instruction Fuzzy Hash: B9318EB5900209ABDB219FA1DC49FFB77BDEF88705F1441B6F908E2160E77096888B35
            Function 00E1DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
            Download Yara Rule
            APIs
            • __wsplitpath.LIBCMT ref: 00E1DC7B
            • _wcscat.LIBCMT ref: 00E1DC93
            • _wcscat.LIBCMT ref: 00E1DCA5
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E1DCBA
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00E1DCCE
            • GetFileAttributesW.KERNEL32(?), ref: 00E1DCE6
            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00E1DD00
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00E1DD12
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
            • String ID: *.*
            • API String ID: 34673085-438819550
            • Opcode ID: 815977b4112f4ff85c93bb1f9eb1a19da47fdfb19799a4f1df7b5ed6f37f3cdd
            • Instruction ID: 14e073216af737477a35e74a160c8d1020b435005627a96edd212b2905b12519
            • Opcode Fuzzy Hash: 815977b4112f4ff85c93bb1f9eb1a19da47fdfb19799a4f1df7b5ed6f37f3cdd
            • Instruction Fuzzy Hash: 6F81727150C2459FCB24DF24CC859EEB7E8EB88314F159D2EF886E7251E630E984CB62
            Function 00E3C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB2612: GetWindowLongW.USER32(?,000000EB), ref: 00DB2623
            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E3C4EC
            • GetFocus.USER32 ref: 00E3C4FC
            • GetDlgCtrlID.USER32(00000000), ref: 00E3C507
            • _memset.LIBCMT ref: 00E3C632
            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00E3C65D
            • GetMenuItemCount.USER32(?), ref: 00E3C67D
            • GetMenuItemID.USER32(?,00000000), ref: 00E3C690
            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00E3C6C4
            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00E3C70C
            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E3C744
            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00E3C779
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
            • String ID: 0
            • API String ID: 1296962147-4108050209
            • Opcode ID: f48786b3efbf213510c7c072d880ae2a17d9e4685a28c9fc929a39690b7f8aeb
            • Instruction ID: c824a3b47b07acffb5016e1ae7d4785e0fadeb6303ec9b22092c6392a5b89026
            • Opcode Fuzzy Hash: f48786b3efbf213510c7c072d880ae2a17d9e4685a28c9fc929a39690b7f8aeb
            • Instruction Fuzzy Hash: 14819E70608305AFD710DF25C989AABBFE4FB88358F20552EF995B3291D730D945CBA2
            Function 00E083F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E0874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E08766
              • Part of subcall function 00E0874A: GetLastError.KERNEL32(?,00E0822A,?,?,?), ref: 00E08770
              • Part of subcall function 00E0874A: GetProcessHeap.KERNEL32(00000008,?,?,00E0822A,?,?,?), ref: 00E0877F
              • Part of subcall function 00E0874A: HeapAlloc.KERNEL32(00000000,?,00E0822A,?,?,?), ref: 00E08786
              • Part of subcall function 00E0874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E0879D
              • Part of subcall function 00E087E7: GetProcessHeap.KERNEL32(00000008,00E08240,00000000,00000000,?,00E08240,?), ref: 00E087F3
              • Part of subcall function 00E087E7: HeapAlloc.KERNEL32(00000000,?,00E08240,?), ref: 00E087FA
              • Part of subcall function 00E087E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E08240,?), ref: 00E0880B
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E08458
            • _memset.LIBCMT ref: 00E0846D
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E0848C
            • GetLengthSid.ADVAPI32(?), ref: 00E0849D
            • GetAce.ADVAPI32(?,00000000,?), ref: 00E084DA
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E084F6
            • GetLengthSid.ADVAPI32(?), ref: 00E08513
            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E08522
            • HeapAlloc.KERNEL32(00000000), ref: 00E08529
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E0854A
            • CopySid.ADVAPI32(00000000), ref: 00E08551
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E08582
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E085A8
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E085BC
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
            • String ID:
            • API String ID: 3996160137-0
            • Opcode ID: 7cfacc1c7f16a00e80d82424451031705c1f13e893d915b43211a28f7c785024
            • Instruction ID: 228e735a19e53497af6d7a6377f9a00c1bc7aa8c15b92cc9d35d438fe2fec2e1
            • Opcode Fuzzy Hash: 7cfacc1c7f16a00e80d82424451031705c1f13e893d915b43211a28f7c785024
            • Instruction Fuzzy Hash: AF61467190020AAFDF04DFA5DE49AAEBBB9FF04304F048169E855B72D1DB319A49CF60
            Function 00E2762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(00000000), ref: 00E276A2
            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00E276AE
            • CreateCompatibleDC.GDI32(?), ref: 00E276BA
            • SelectObject.GDI32(00000000,?), ref: 00E276C7
            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00E2771B
            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00E27757
            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00E2777B
            • SelectObject.GDI32(00000006,?), ref: 00E27783
            • DeleteObject.GDI32(?), ref: 00E2778C
            • DeleteDC.GDI32(00000006), ref: 00E27793
            • ReleaseDC.USER32(00000000,?), ref: 00E2779E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
            • String ID: (
            • API String ID: 2598888154-3887548279
            • Opcode ID: eaeee35236f6801760a55a330f8d9e14912836fa2faa21567a08988ce7362577
            • Instruction ID: 1c93107d6998c392d007fb837a07415eead9e23ef824aed4f88974d5aad71ce5
            • Opcode Fuzzy Hash: eaeee35236f6801760a55a330f8d9e14912836fa2faa21567a08988ce7362577
            • Instruction Fuzzy Hash: 30514C75904719EFCB15CFA9DC89EAEBBB9EF48310F14842DF989A7210D731A844CB60
            Function 00DB6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DD0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00DB6C6C,?,00008000), ref: 00DD0BB7
              • Part of subcall function 00DB48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DB48A1,?,?,00DB37C0,?), ref: 00DB48CE
            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00DB6D0D
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00DB6E5A
              • Part of subcall function 00DB59CD: _wcscpy.LIBCMT ref: 00DB5A05
              • Part of subcall function 00DD387D: _iswctype.LIBCMT ref: 00DD3885
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
            • API String ID: 537147316-1018226102
            • Opcode ID: 60149ad230374a86afc7eb76204f569d74ac285724f1d9d9689329366657eb4d
            • Instruction ID: b5d4856a4099cf0c7bac0b2d20e3db712df3710107a776bebcecdd9ce2c62342
            • Opcode Fuzzy Hash: 60149ad230374a86afc7eb76204f569d74ac285724f1d9d9689329366657eb4d
            • Instruction Fuzzy Hash: 5C026C31508381DFC724EF25C891AAFBBE5EF98354F14491DF486A72A1DB30D949CB62
            Function 00DB45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00DB45F9
            • GetMenuItemCount.USER32(00E76890), ref: 00DED7CD
            • GetMenuItemCount.USER32(00E76890), ref: 00DED87D
            • GetCursorPos.USER32(?), ref: 00DED8C1
            • SetForegroundWindow.USER32(00000000), ref: 00DED8CA
            • TrackPopupMenuEx.USER32(00E76890,00000000,?,00000000,00000000,00000000), ref: 00DED8DD
            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00DED8E9
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
            • String ID:
            • API String ID: 2751501086-0
            • Opcode ID: 97a09d436dccb5e69395268e0cc491bce20f10575a73d08abaeb25ba36b18a75
            • Instruction ID: fc4da93a4fadf088372c763f3093c863cf5a7cc53e80166456aeeeece18105ee
            • Opcode Fuzzy Hash: 97a09d436dccb5e69395268e0cc491bce20f10575a73d08abaeb25ba36b18a75
            • Instruction Fuzzy Hash: 5071F670600249BEEB20AF56DC89FEABF65FF05364F240216F516A61E1CBB19C50DBB4
            Function 00E28BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00E28BEC
            • CoInitialize.OLE32(00000000), ref: 00E28C19
            • CoUninitialize.OLE32 ref: 00E28C23
            • GetRunningObjectTable.OLE32(00000000,?), ref: 00E28D23
            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00E28E50
            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00E42C0C), ref: 00E28E84
            • CoGetObject.OLE32(?,00000000,00E42C0C,?), ref: 00E28EA7
            • SetErrorMode.KERNEL32(00000000), ref: 00E28EBA
            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00E28F3A
            • VariantClear.OLEAUT32(?), ref: 00E28F4A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
            • String ID: ,,
            • API String ID: 2395222682-1556401989
            • Opcode ID: 1ed012abf0960ce2aed3f10cbc0bc9f8f581137b0ef595646a3bdd6236862c17
            • Instruction ID: 0c1039027b4e91da3ab8fb813dd9279279ec8682be306513bcdff16c5e147e6c
            • Opcode Fuzzy Hash: 1ed012abf0960ce2aed3f10cbc0bc9f8f581137b0ef595646a3bdd6236862c17
            • Instruction Fuzzy Hash: E1C15671604315AFD704DF64D98496BBBE9FF88308F00591DF58AAB261DB31ED05CB62
            Function 00E310A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E30038,?,?), ref: 00E310BC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: BuffCharUpper
            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
            • API String ID: 3964851224-909552448
            • Opcode ID: 4e8d917e6843658a4e168c2bee3259baa6fe11b9c16441cdb5bd41ea8a34506c
            • Instruction ID: 80c75d780f0019bf1a7f4be81d830aed5d423ff2085d7259e8c53e70affb7a15
            • Opcode Fuzzy Hash: 4e8d917e6843658a4e168c2bee3259baa6fe11b9c16441cdb5bd41ea8a34506c
            • Instruction Fuzzy Hash: 3F41503014524ADBCF10EFA0E895AEF3B25EF91344F1054AAEC91AB651DB30A95ACB70
            Function 00E15569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB7D2C: _memmove.LIBCMT ref: 00DB7D66
              • Part of subcall function 00DB7A84: _memmove.LIBCMT ref: 00DB7B0D
            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00E155D2
            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00E155E8
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E155F9
            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00E1560B
            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00E1561C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: SendString$_memmove
            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
            • API String ID: 2279737902-1007645807
            • Opcode ID: c72e4730c59a856da4bd4dbe278c417b7972fafa609672f431d4502e5d166729
            • Instruction ID: d224b0f467a75e3f2570a1bf4c06e183c1ca333af1d39d1d5ad68905f5c9809d
            • Opcode Fuzzy Hash: c72e4730c59a856da4bd4dbe278c417b7972fafa609672f431d4502e5d166729
            • Instruction Fuzzy Hash: 7A1190319D0269BAD720B661DC8ADFFBB7CEFD1B40F441429B402B20D1DEA05D45C9B1
            Function 00E148F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
            • String ID: 0.0.0.0
            • API String ID: 208665112-3771769585
            • Opcode ID: 2a06bf10f3e0e0dbfde00fa0b714551825a9bf4440669643b3b34360d4cd721d
            • Instruction ID: c18f199471d1de47fa093bf3b4b66e413f876aa9b2d7bcc6e79a5a7dd4eebde7
            • Opcode Fuzzy Hash: 2a06bf10f3e0e0dbfde00fa0b714551825a9bf4440669643b3b34360d4cd721d
            • Instruction Fuzzy Hash: B311D571904119AFCB24AB75AC4AEEB7BACDF80710F040176F408B6291EF709AC586B1
            Function 00E15217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
            Download Yara Rule
            APIs
            • timeGetTime.WINMM ref: 00E1521C
              • Part of subcall function 00DD0719: timeGetTime.WINMM(?,7694B400,00DC0FF9), ref: 00DD071D
            • Sleep.KERNEL32(0000000A), ref: 00E15248
            • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00E1526C
            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00E1528E
            • SetActiveWindow.USER32 ref: 00E152AD
            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00E152BB
            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00E152DA
            • Sleep.KERNEL32(000000FA), ref: 00E152E5
            • IsWindow.USER32 ref: 00E152F1
            • EndDialog.USER32(00000000), ref: 00E15302
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
            • String ID: BUTTON
            • API String ID: 1194449130-3405671355
            • Opcode ID: 885c836df036aa7df563f436741e8055522c6a7874520f5f2acecac1bf609f32
            • Instruction ID: df46ad0d3fa19f448db2f90747194bd1443b3154d57434d3f541f2ca7344369e
            • Opcode Fuzzy Hash: 885c836df036aa7df563f436741e8055522c6a7874520f5f2acecac1bf609f32
            • Instruction Fuzzy Hash: 8B216872504708EFE7019F72ED8DA693F6AEB8534AF042424F009B2171EB715CC8C661
            Function 00E1D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB9997: __itow.LIBCMT ref: 00DB99C2
              • Part of subcall function 00DB9997: __swprintf.LIBCMT ref: 00DB9A0C
            • CoInitialize.OLE32(00000000), ref: 00E1D855
            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00E1D8E8
            • SHGetDesktopFolder.SHELL32(?), ref: 00E1D8FC
            • CoCreateInstance.OLE32(00E42D7C,00000000,00000001,00E6A89C,?), ref: 00E1D948
            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00E1D9B7
            • CoTaskMemFree.OLE32(?,?), ref: 00E1DA0F
            • _memset.LIBCMT ref: 00E1DA4C
            • SHBrowseForFolderW.SHELL32(?), ref: 00E1DA88
            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00E1DAAB
            • CoTaskMemFree.OLE32(00000000), ref: 00E1DAB2
            • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00E1DAE9
            • CoUninitialize.OLE32(00000001,00000000), ref: 00E1DAEB
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
            • String ID:
            • API String ID: 1246142700-0
            • Opcode ID: a7bb4f10792cb8f1c035e8763cc087ebfaaf15392ced854126a3411eea310b37
            • Instruction ID: 48d224b4207a0525d74586b668ada48b75a5bf644a692a556afcfba269070f4d
            • Opcode Fuzzy Hash: a7bb4f10792cb8f1c035e8763cc087ebfaaf15392ced854126a3411eea310b37
            • Instruction Fuzzy Hash: C4B1EB75A00119EFDB04DF65C889EAEBBB9EF48304B148469F506EB261DB30ED45CB60
            Function 00E1052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?), ref: 00E105A7
            • SetKeyboardState.USER32(?), ref: 00E10612
            • GetAsyncKeyState.USER32(000000A0), ref: 00E10632
            • GetKeyState.USER32(000000A0), ref: 00E10649
            • GetAsyncKeyState.USER32(000000A1), ref: 00E10678
            • GetKeyState.USER32(000000A1), ref: 00E10689
            • GetAsyncKeyState.USER32(00000011), ref: 00E106B5
            • GetKeyState.USER32(00000011), ref: 00E106C3
            • GetAsyncKeyState.USER32(00000012), ref: 00E106EC
            • GetKeyState.USER32(00000012), ref: 00E106FA
            • GetAsyncKeyState.USER32(0000005B), ref: 00E10723
            • GetKeyState.USER32(0000005B), ref: 00E10731
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: State$Async$Keyboard
            • String ID:
            • API String ID: 541375521-0
            • Opcode ID: 17a4e1bc4b5e983481e90e2f882c369d673a9fe385e96193e0c4460a9c34500e
            • Instruction ID: 840b83effb302f85d67a3ecba630a0fb3cab0eb3e68216663d4602518723c5c7
            • Opcode Fuzzy Hash: 17a4e1bc4b5e983481e90e2f882c369d673a9fe385e96193e0c4460a9c34500e
            • Instruction Fuzzy Hash: 5151FB70A0478829FB35EBB084547EABFF59F01384F08959AD5C2765C2DAE49BCCCB52
            Function 00E0C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,00000001), ref: 00E0C746
            • GetWindowRect.USER32(00000000,?), ref: 00E0C758
            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00E0C7B6
            • GetDlgItem.USER32(?,00000002), ref: 00E0C7C1
            • GetWindowRect.USER32(00000000,?), ref: 00E0C7D3
            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00E0C827
            • GetDlgItem.USER32(?,000003E9), ref: 00E0C835
            • GetWindowRect.USER32(00000000,?), ref: 00E0C846
            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00E0C889
            • GetDlgItem.USER32(?,000003EA), ref: 00E0C897
            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00E0C8B4
            • InvalidateRect.USER32(?,00000000,00000001), ref: 00E0C8C1
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Window$ItemMoveRect$Invalidate
            • String ID:
            • API String ID: 3096461208-0
            • Opcode ID: d5bc76790965bcf4bfbb784acb405056e83d655c76056f8045e503ccbebdaf17
            • Instruction ID: d4bb8462c5f8059e6a38057c5d587ad02f0c0170ef321cc8158793e7ff645c21
            • Opcode Fuzzy Hash: d5bc76790965bcf4bfbb784acb405056e83d655c76056f8045e503ccbebdaf17
            • Instruction Fuzzy Hash: DF512371F00209AFDB18CF69DD99A6EBBB5EB88311F14822DF515E72D0D770AD448B50
            Function 00DB201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DB2036,?,00000000,?,?,?,?,00DB16CB,00000000,?), ref: 00DB1B9A
            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00DB20D3
            • KillTimer.USER32(-00000001,?,?,?,?,00DB16CB,00000000,?,?,00DB1AE2,?,?), ref: 00DB216E
            • DestroyAcceleratorTable.USER32(00000000), ref: 00DEBEF6
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00DB16CB,00000000,?,?,00DB1AE2,?,?), ref: 00DEBF27
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00DB16CB,00000000,?,?,00DB1AE2,?,?), ref: 00DEBF3E
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00DB16CB,00000000,?,?,00DB1AE2,?,?), ref: 00DEBF5A
            • DeleteObject.GDI32(00000000), ref: 00DEBF6C
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
            • String ID:
            • API String ID: 641708696-0
            • Opcode ID: 16f42cff9620bd325fcd827cc211bedb1d6a4d33e495fc6dbc95465637aa4977
            • Instruction ID: 5c5d6b0cb49ed80b05d60906effef491e71257617dd189d3ee24150cd3d3749a
            • Opcode Fuzzy Hash: 16f42cff9620bd325fcd827cc211bedb1d6a4d33e495fc6dbc95465637aa4977
            • Instruction Fuzzy Hash: 51618B32500A50DFDB29EF1ACD49B7A7BF1FF40316F18852AE18766960C771A884DFA1
            Function 00DB21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DB25EC
            • GetSysColor.USER32(0000000F), ref: 00DB21D3
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ColorLongWindow
            • String ID:
            • API String ID: 259745315-0
            • Opcode ID: 4a174532de69b60cb75640714f50d28a0f19f75ea31110a4f7436b9d85e82baf
            • Instruction ID: ebe3af635b86e3a1bf559a221f34047fb4e4f42ad5b70f31ae7009b8d8e19933
            • Opcode Fuzzy Hash: 4a174532de69b60cb75640714f50d28a0f19f75ea31110a4f7436b9d85e82baf
            • Instruction Fuzzy Hash: 4341BE32400648EFDB255F29EC89BB93B65EB06331F184265FD66DA1E6C7318C42DB35
            Function 00E1AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(?,?,00E3F910), ref: 00E1AB76
            • GetDriveTypeW.KERNEL32(00000061,00E6A620,00000061), ref: 00E1AC40
            • _wcscpy.LIBCMT ref: 00E1AC6A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: BuffCharDriveLowerType_wcscpy
            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
            • API String ID: 2820617543-1000479233
            • Opcode ID: 20bf944d8365ef2e115ecd78ceb0aaf7729491c0b335390079a9941593cb0fc7
            • Instruction ID: 329183eac673ae9dc1b5a04dcbfb13ce53a5292aa6f1611958086d4f73c92012
            • Opcode Fuzzy Hash: 20bf944d8365ef2e115ecd78ceb0aaf7729491c0b335390079a9941593cb0fc7
            • Instruction Fuzzy Hash: 5751BE305483419BC710EF14D892EFEB7A6EF80704F18582AF496672A2DB319D89CB63
            Function 00E3C27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB2612: GetWindowLongW.USER32(?,000000EB), ref: 00DB2623
              • Part of subcall function 00DB2344: GetCursorPos.USER32(?), ref: 00DB2357
              • Part of subcall function 00DB2344: ScreenToClient.USER32(00E767B0,?), ref: 00DB2374
              • Part of subcall function 00DB2344: GetAsyncKeyState.USER32(00000001), ref: 00DB2399
              • Part of subcall function 00DB2344: GetAsyncKeyState.USER32(00000002), ref: 00DB23A7
            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00E3C2E4
            • ImageList_EndDrag.COMCTL32 ref: 00E3C2EA
            • ReleaseCapture.USER32 ref: 00E3C2F0
            • SetWindowTextW.USER32(?,00000000), ref: 00E3C39A
            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00E3C3AD
            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00E3C48F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
            • String ID: @GUI_DRAGFILE$@GUI_DROPID$pr$pr
            • API String ID: 1924731296-488423084
            • Opcode ID: 12fdc071990cf1ab107547ab1cc30233625c0fd41cbc37c8c9a7caa9763df657
            • Instruction ID: 885238c4fd28efd1b2259fe56cb817ecdab60cd2b1809fe42c7ceedfd5e3ebda
            • Opcode Fuzzy Hash: 12fdc071990cf1ab107547ab1cc30233625c0fd41cbc37c8c9a7caa9763df657
            • Instruction Fuzzy Hash: 30518170204304AFD704EF14DC5AFAA7BE5EF88314F10451DF5A6A72E1CB719948CB62
            Function 00DB9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: __i64tow__itow__swprintf
            • String ID: %.15g$0x%p$False$True
            • API String ID: 421087845-2263619337
            • Opcode ID: 1cd23e95190f569573bd2be8cc649dbdaa4db105b181d0238f94827b464f5130
            • Instruction ID: 5cd2560de8a70ae4b95edb5561af75251f87ff5e2a75f044c6fe00ca48cf80cb
            • Opcode Fuzzy Hash: 1cd23e95190f569573bd2be8cc649dbdaa4db105b181d0238f94827b464f5130
            • Instruction Fuzzy Hash: 6341B371604245EBDB24AB35DC42BBAB7E8EF44300F24446EE68AD6292EA71D9458F31
            Function 00E373C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00E373D9
            • CreateMenu.USER32 ref: 00E373F4
            • SetMenu.USER32(?,00000000), ref: 00E37403
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E37490
            • IsMenu.USER32(?), ref: 00E374A6
            • CreatePopupMenu.USER32 ref: 00E374B0
            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E374DD
            • DrawMenuBar.USER32 ref: 00E374E5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
            • String ID: 0$F
            • API String ID: 176399719-3044882817
            • Opcode ID: 5aa743e391d749394689ac85258b6ca527431a8b3919685324e02480e7820a0b
            • Instruction ID: 5cad73631c8b85176bfa19de33208ed2013a1612ec3fc10ff1ae1f5410b90303
            • Opcode Fuzzy Hash: 5aa743e391d749394689ac85258b6ca527431a8b3919685324e02480e7820a0b
            • Instruction Fuzzy Hash: AA4125B5A00209EFDB20DF65D888E9ABFB9FF49315F144029E9A5A7360D731AD14CB60
            Function 00E3772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
            Download Yara Rule
            APIs
            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00E377CD
            • CreateCompatibleDC.GDI32(00000000), ref: 00E377D4
            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00E377E7
            • SelectObject.GDI32(00000000,00000000), ref: 00E377EF
            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00E377FA
            • DeleteDC.GDI32(00000000), ref: 00E37803
            • GetWindowLongW.USER32(?,000000EC), ref: 00E3780D
            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00E37821
            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00E3782D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
            • String ID: static
            • API String ID: 2559357485-2160076837
            • Opcode ID: 58b7f1efaa23b5090dc0d859f2c78c59b5a472c2644777c2e8b5f996b2ce5b68
            • Instruction ID: c1adc555606930f9fbd4a090e40d2dbd4e7b3a1afc9f981347d72ec2aea3cd2b
            • Opcode Fuzzy Hash: 58b7f1efaa23b5090dc0d859f2c78c59b5a472c2644777c2e8b5f996b2ce5b68
            • Instruction Fuzzy Hash: 03319872501219AFDF269FA5DC0DFEA3FA9EF09325F100225FA55B20A0C731D825DBA0
            Function 00DD7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00DD707B
              • Part of subcall function 00DD8D68: __getptd_noexit.LIBCMT ref: 00DD8D68
            • __gmtime64_s.LIBCMT ref: 00DD7114
            • __gmtime64_s.LIBCMT ref: 00DD714A
            • __gmtime64_s.LIBCMT ref: 00DD7167
            • __allrem.LIBCMT ref: 00DD71BD
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DD71D9
            • __allrem.LIBCMT ref: 00DD71F0
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DD720E
            • __allrem.LIBCMT ref: 00DD7225
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DD7243
            • __invoke_watson.LIBCMT ref: 00DD72B4
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
            • String ID:
            • API String ID: 384356119-0
            • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
            • Instruction ID: 4dba8240f415de6f9a251fc6a9ecba90b1cd2c466359f5a3a04fa35ae931348f
            • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
            • Instruction Fuzzy Hash: 42719171A04756ABD714AE69CC82B6AB7A8EF10324F18426BF514E73C1F770E94087B4
            Function 00E12A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00E12A31
            • GetMenuItemInfoW.USER32(00E76890,000000FF,00000000,00000030), ref: 00E12A92
            • SetMenuItemInfoW.USER32(00E76890,00000004,00000000,00000030), ref: 00E12AC8
            • Sleep.KERNEL32(000001F4), ref: 00E12ADA
            • GetMenuItemCount.USER32(?), ref: 00E12B1E
            • GetMenuItemID.USER32(?,00000000), ref: 00E12B3A
            • GetMenuItemID.USER32(?,-00000001), ref: 00E12B64
            • GetMenuItemID.USER32(?,?), ref: 00E12BA9
            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E12BEF
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E12C03
            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E12C24
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
            • String ID:
            • API String ID: 4176008265-0
            • Opcode ID: 6b53158dc3bd9bbf2e54b4867ea59a6a35df9ad8918f0954bc5cfab521732687
            • Instruction ID: a0054cfb93c2fd8be5c3ef1d45cdb1c6b2c2c73802414c3b43c59780129a285d
            • Opcode Fuzzy Hash: 6b53158dc3bd9bbf2e54b4867ea59a6a35df9ad8918f0954bc5cfab521732687
            • Instruction Fuzzy Hash: A661BFB0904249AFDB21CF64CC88EEEBBB8EB40308F14555DEA41B3251D731ADA9DB60
            Function 00E37192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00E37214
            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00E37217
            • GetWindowLongW.USER32(?,000000F0), ref: 00E3723B
            • _memset.LIBCMT ref: 00E3724C
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E3725E
            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00E372D6
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSend$LongWindow_memset
            • String ID:
            • API String ID: 830647256-0
            • Opcode ID: 67c0cf886722c699f1e1feca26f1219d8ef89c54faee13ebf4a7ffb5d873eaab
            • Instruction ID: fb4c6e793a1023ba5dc0668a8f4dae16db51db7ce84801fa7db5753feb593ec1
            • Opcode Fuzzy Hash: 67c0cf886722c699f1e1feca26f1219d8ef89c54faee13ebf4a7ffb5d873eaab
            • Instruction Fuzzy Hash: AC617BB5A00248AFDB20DFA4CC85EEE7BF8EB09704F144159FA54B72A1C770AD45DBA0
            Function 00E0710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
            Download Yara Rule
            APIs
            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E07135
            • SafeArrayAllocData.OLEAUT32(?), ref: 00E0718E
            • VariantInit.OLEAUT32(?), ref: 00E071A0
            • SafeArrayAccessData.OLEAUT32(?,?), ref: 00E071C0
            • VariantCopy.OLEAUT32(?,?), ref: 00E07213
            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00E07227
            • VariantClear.OLEAUT32(?), ref: 00E0723C
            • SafeArrayDestroyData.OLEAUT32(?), ref: 00E07249
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E07252
            • VariantClear.OLEAUT32(?), ref: 00E07264
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E0726F
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
            • String ID:
            • API String ID: 2706829360-0
            • Opcode ID: dca86eff849ea1efbfb5424876e39fb7950ab4f541415afbed31552a1b606f28
            • Instruction ID: 6eab400d11aa4b553e0f86e5b1f1fe0683ff4666d731312dd26040c94174707c
            • Opcode Fuzzy Hash: dca86eff849ea1efbfb5424876e39fb7950ab4f541415afbed31552a1b606f28
            • Instruction Fuzzy Hash: 2D413075D04119EFCB04DF65D8489EEBBB9FF48354F008069F955B7261CB30A989CBA0
            Function 00E25A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
            Download Yara Rule
            APIs
            • WSAStartup.WSOCK32(00000101,?), ref: 00E25AA6
            • inet_addr.WSOCK32(?,?,?), ref: 00E25AEB
            • gethostbyname.WSOCK32(?), ref: 00E25AF7
            • IcmpCreateFile.IPHLPAPI ref: 00E25B05
            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00E25B75
            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00E25B8B
            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00E25C00
            • WSACleanup.WSOCK32 ref: 00E25C06
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
            • String ID: Ping
            • API String ID: 1028309954-2246546115
            • Opcode ID: b57450e03b96a4f4799e054616312b782727d4d9d2a27a5e2af9126e17d11048
            • Instruction ID: 0071e62f499382e11f5293223bde5fee97ac0e28bd357310c74ac407a30d5188
            • Opcode Fuzzy Hash: b57450e03b96a4f4799e054616312b782727d4d9d2a27a5e2af9126e17d11048
            • Instruction Fuzzy Hash: E251A032604710DFDB10AF25ED49B6ABBE0EF48310F14992AF556EB2A1DB70E804CB51
            Function 00E1B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00E1B73B
            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00E1B7B1
            • GetLastError.KERNEL32 ref: 00E1B7BB
            • SetErrorMode.KERNEL32(00000000,READY), ref: 00E1B828
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Error$Mode$DiskFreeLastSpace
            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
            • API String ID: 4194297153-14809454
            • Opcode ID: 60e6882cbfcadbe48cf215dbb9ce509457e1f3ea8e1e3c287886bcd1ec61c986
            • Instruction ID: a53bc2ae14b9c5a6886c99e58c0e718d8196566513b559d9c7e27e29254a9986
            • Opcode Fuzzy Hash: 60e6882cbfcadbe48cf215dbb9ce509457e1f3ea8e1e3c287886bcd1ec61c986
            • Instruction Fuzzy Hash: FE31A135E00209DFCB04EF64D889AEEBBB8EF84744F14512AE502F72D1DB719982CB61
            Function 00E09471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB7F41: _memmove.LIBCMT ref: 00DB7F82
              • Part of subcall function 00E0B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E0B0E7
            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00E094F6
            • GetDlgCtrlID.USER32 ref: 00E09501
            • GetParent.USER32 ref: 00E0951D
            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00E09520
            • GetDlgCtrlID.USER32(?), ref: 00E09529
            • GetParent.USER32(?), ref: 00E09545
            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00E09548
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSend$CtrlParent$ClassName_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 1536045017-1403004172
            • Opcode ID: 6a7ccd1a607d40d74392bdf19f232aedb2ba7f761c31f2e3e5cb229edd7e6559
            • Instruction ID: facc95e2f598f006a95165513182bc5901e4ac9dde7f2de668f8719e7c0db791
            • Opcode Fuzzy Hash: 6a7ccd1a607d40d74392bdf19f232aedb2ba7f761c31f2e3e5cb229edd7e6559
            • Instruction Fuzzy Hash: FE21B270E00208AFCF05AF65CC96EFEBB68EF49300F101115F562A72E2DB7559599B70
            Function 00E0955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB7F41: _memmove.LIBCMT ref: 00DB7F82
              • Part of subcall function 00E0B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E0B0E7
            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00E095DF
            • GetDlgCtrlID.USER32 ref: 00E095EA
            • GetParent.USER32 ref: 00E09606
            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00E09609
            • GetDlgCtrlID.USER32(?), ref: 00E09612
            • GetParent.USER32(?), ref: 00E0962E
            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00E09631
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSend$CtrlParent$ClassName_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 1536045017-1403004172
            • Opcode ID: 81e6ff961b8ed8033a363a7bb189805da76aadd8dd0d702ff01b8fc58b9579a3
            • Instruction ID: b0ee68727ab8fd0e4609db16f5ba7a847b7cd5445304c8af166ccf0f91ab541f
            • Opcode Fuzzy Hash: 81e6ff961b8ed8033a363a7bb189805da76aadd8dd0d702ff01b8fc58b9579a3
            • Instruction Fuzzy Hash: 62219074A00208ABDF01AF61DC96EFEBBA8EF48300F105015F952A72E2DB7599599A70
            Function 00E09645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32 ref: 00E09651
            • GetClassNameW.USER32(00000000,?,00000100), ref: 00E09666
            • _wcscmp.LIBCMT ref: 00E09678
            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00E096F3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ClassMessageNameParentSend_wcscmp
            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
            • API String ID: 1704125052-3381328864
            • Opcode ID: 2db62688ea98adf4242ff6dc90193ce498f173236291c14f4cde6eff15a75e57
            • Instruction ID: 541af2499cd3b8a91ea58be8f2f49512e030a494976edb8036bb30b65e94cd54
            • Opcode Fuzzy Hash: 2db62688ea98adf4242ff6dc90193ce498f173236291c14f4cde6eff15a75e57
            • Instruction Fuzzy Hash: A8110A76688707BAFA052A21FC1BDE6779CCB05364F201027F901B50E3FE6359904979
            Function 00E14189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
            Download Yara Rule
            APIs
            • __swprintf.LIBCMT ref: 00E1419D
            • __swprintf.LIBCMT ref: 00E141AA
              • Part of subcall function 00DD38D8: __woutput_l.LIBCMT ref: 00DD3931
            • FindResourceW.KERNEL32(?,?,0000000E), ref: 00E141D4
            • LoadResource.KERNEL32(?,00000000), ref: 00E141E0
            • LockResource.KERNEL32(00000000), ref: 00E141ED
            • FindResourceW.KERNEL32(?,?,00000003), ref: 00E1420D
            • LoadResource.KERNEL32(?,00000000), ref: 00E1421F
            • SizeofResource.KERNEL32(?,00000000), ref: 00E1422E
            • LockResource.KERNEL32(?), ref: 00E1423A
            • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00E1429B
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
            • String ID:
            • API String ID: 1433390588-0
            • Opcode ID: d3c86e20e6da5fec400c69cd9221990537e88ee8bb51f68ebfa9def2bcbb3867
            • Instruction ID: d0fac8794ae9a53f0a297a88cb51cce2c48accf0fec5a328da6b046b0bc9bc9f
            • Opcode Fuzzy Hash: d3c86e20e6da5fec400c69cd9221990537e88ee8bb51f68ebfa9def2bcbb3867
            • Instruction Fuzzy Hash: F23181B1A0521AAFDB119F61EC48EFB7BA8EF04305F044525F915F22A0D770DA91CBB0
            Function 00DBFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
            Download Yara Rule
            APIs
            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00DBFC06
            • OleUninitialize.OLE32(?,00000000), ref: 00DBFCA5
            • UnregisterHotKey.USER32(?), ref: 00DBFDFC
            • DestroyWindow.USER32(?), ref: 00DF4A00
            • FreeLibrary.KERNEL32(?), ref: 00DF4A65
            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00DF4A92
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
            • String ID: close all
            • API String ID: 469580280-3243417748
            • Opcode ID: acf2b21a28c2330e833349bee6cb64f4e3a17a8547366859ce8667e7f21f713f
            • Instruction ID: e72dba9e971ef1199aa355c1fd9caec7c2815baf94f1b11852a00c9eda23e24c
            • Opcode Fuzzy Hash: acf2b21a28c2330e833349bee6cb64f4e3a17a8547366859ce8667e7f21f713f
            • Instruction Fuzzy Hash: 11A13E34701216CFCB19EF15C895A6AF7A4EF04704F1982ADE90A6B262DB30ED56CF74
            Function 00E29428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Variant$ClearInit$_memset
            • String ID: ,,$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
            • API String ID: 2862541840-218231672
            • Opcode ID: e397bab693ce5d957e16c827380079733e5651c28e7a7e5edbe7cc7ee1409c79
            • Instruction ID: f455ee3e64f60df8438254bb4af55024c20ce67447684f03c4b1bf7e5040424a
            • Opcode Fuzzy Hash: e397bab693ce5d957e16c827380079733e5651c28e7a7e5edbe7cc7ee1409c79
            • Instruction Fuzzy Hash: 9991BE70A00229ABDF24DFA5E848FAEBBB8EF45714F10A159F515BB281D7709905CFA0
            Function 00E0A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
            Download Yara Rule
            APIs
            • EnumChildWindows.USER32(?,00E0AA64), ref: 00E0A9A2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ChildEnumWindows
            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
            • API String ID: 3555792229-1603158881
            • Opcode ID: 2892faea5d04c1cc7d259eb411a27ab8699883f6d58da079912a0d8866e717ca
            • Instruction ID: 845f5eed5f648c7266d435652e2949570d13802afe42cd336c94145648b2e072
            • Opcode Fuzzy Hash: 2892faea5d04c1cc7d259eb411a27ab8699883f6d58da079912a0d8866e717ca
            • Instruction Fuzzy Hash: 62917330A0070AEBDB08DF60D481BE9FB75FF44344F58912AD49AB7291DB306999CBB1
            Function 00DB2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(?,000000EB), ref: 00DB2EAE
              • Part of subcall function 00DB1DB3: GetClientRect.USER32(?,?), ref: 00DB1DDC
              • Part of subcall function 00DB1DB3: GetWindowRect.USER32(?,?), ref: 00DB1E1D
              • Part of subcall function 00DB1DB3: ScreenToClient.USER32(?,?), ref: 00DB1E45
            • GetDC.USER32 ref: 00DECF82
            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00DECF95
            • SelectObject.GDI32(00000000,00000000), ref: 00DECFA3
            • SelectObject.GDI32(00000000,00000000), ref: 00DECFB8
            • ReleaseDC.USER32(?,00000000), ref: 00DECFC0
            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00DED04B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
            • String ID: U
            • API String ID: 4009187628-3372436214
            • Opcode ID: c89585ada3b7fc65991f78d2a24126624fc4e8577c7ca75895b35d3aaf8de441
            • Instruction ID: 0076668aa048bd124b5126fc088d2c733d450428033c5d2fe7fef4711b714036
            • Opcode Fuzzy Hash: c89585ada3b7fc65991f78d2a24126624fc4e8577c7ca75895b35d3aaf8de441
            • Instruction Fuzzy Hash: 0371E231400245DFCF259F66C884AFA3BB6FF48360F18426AFD566A1A6C731C842DB70
            Function 00E28F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00E3F910), ref: 00E2903D
            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00E3F910), ref: 00E29071
            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00E291EB
            • SysFreeString.OLEAUT32(?), ref: 00E29215
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Free$FileLibraryModuleNamePathQueryStringType
            • String ID:
            • API String ID: 560350794-0
            • Opcode ID: 272ab4a613a547a31fcd2736eb6afe37646b550b6d2492e9ee2918b5d8f8775b
            • Instruction ID: 965fe03818bef8492c79cffc876f2cb8723192e57fcee203769d262c85123383
            • Opcode Fuzzy Hash: 272ab4a613a547a31fcd2736eb6afe37646b550b6d2492e9ee2918b5d8f8775b
            • Instruction Fuzzy Hash: 79F10871A00219EFDF04DF94D888EAEB7B9FF49314F109059F516AB291DB31AE45CB60
            Function 00E2F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00E2F9C9
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E2FB5C
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E2FB80
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E2FBC0
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E2FBE2
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E2FD5E
            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00E2FD90
            • CloseHandle.KERNEL32(?), ref: 00E2FDBF
            • CloseHandle.KERNEL32(?), ref: 00E2FE36
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
            • String ID:
            • API String ID: 4090791747-0
            • Opcode ID: 57b5e4dc52c1fd8cc3fb9035996b4709baa888362df9c646082fd27a0081e4e2
            • Instruction ID: 41a3b78b5174b1b122748b7b47f6142b02af872a11c38ef5979e840d6781b3b6
            • Opcode Fuzzy Hash: 57b5e4dc52c1fd8cc3fb9035996b4709baa888362df9c646082fd27a0081e4e2
            • Instruction Fuzzy Hash: 88E18D31604251DFCB14EF24D491BAABBF1EF84314F14956DF89AAB2A2DB31DC44CB62
            Function 00E14F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E148AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E138D3,?), ref: 00E148C7
              • Part of subcall function 00E148AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E138D3,?), ref: 00E148E0
              • Part of subcall function 00E14CD3: GetFileAttributesW.KERNEL32(?,00E13947), ref: 00E14CD4
            • lstrcmpiW.KERNEL32(?,?), ref: 00E14FE2
            • _wcscmp.LIBCMT ref: 00E14FFC
            • MoveFileW.KERNEL32(?,?), ref: 00E15017
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
            • String ID:
            • API String ID: 793581249-0
            • Opcode ID: a67e286d9bac5ee9149498e14890f7aab5ad29e7fe4e281dd6491488a69ae512
            • Instruction ID: 92cdc5229d53e97c2b09589e1eb0cfc06e1407d4e6f59d4e128eed59be0a44f0
            • Opcode Fuzzy Hash: a67e286d9bac5ee9149498e14890f7aab5ad29e7fe4e281dd6491488a69ae512
            • Instruction Fuzzy Hash: BD5165B25087859BC724EBA0D8819DFB3DCEF84301F10192EF189E3191EF74A6888776
            Function 00E388B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
            Download Yara Rule
            APIs
            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00E3896E
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: InvalidateRect
            • String ID:
            • API String ID: 634782764-0
            • Opcode ID: 517d1e369b9a433810045e4f10b4e7d2a6dd65466cbae01e06c592e8345bec7c
            • Instruction ID: 136f08f509b23d554cc281cfbf4f84f2b10dfb66c7be86fc21b6b02c9e35e752
            • Opcode Fuzzy Hash: 517d1e369b9a433810045e4f10b4e7d2a6dd65466cbae01e06c592e8345bec7c
            • Instruction Fuzzy Hash: 8F519030600308BFEF289F25CE8DBA93FA5EB04354F606116F515F66A1DF71A984DB91
            Function 00DB2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
            Download Yara Rule
            APIs
            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00DEC547
            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00DEC569
            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00DEC581
            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00DEC59F
            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00DEC5C0
            • DestroyIcon.USER32(00000000), ref: 00DEC5CF
            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00DEC5EC
            • DestroyIcon.USER32(?), ref: 00DEC5FB
              • Part of subcall function 00E3A71E: DeleteObject.GDI32(00000000), ref: 00E3A757
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
            • String ID:
            • API String ID: 2819616528-0
            • Opcode ID: c3227707579ff6ce6cf0db6435e292bff288bff531cf6d563030c6e7d8ec64ff
            • Instruction ID: e468d33b4910c461cf28ea6d708e9194640bef3ea1fd5ed2bac4a45da9b28417
            • Opcode Fuzzy Hash: c3227707579ff6ce6cf0db6435e292bff288bff531cf6d563030c6e7d8ec64ff
            • Instruction Fuzzy Hash: 86517771A10249EFDB24EF26CC45FBA3BB5EB48350F140529F946A72A0DB70ED91DB60
            Function 00E09B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E0AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E0AE77
              • Part of subcall function 00E0AE57: GetCurrentThreadId.KERNEL32 ref: 00E0AE7E
              • Part of subcall function 00E0AE57: AttachThreadInput.USER32(00000000,?,00E09B65,?,00000001), ref: 00E0AE85
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E09B70
            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00E09B8D
            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00E09B90
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E09B99
            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00E09BB7
            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00E09BBA
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E09BC3
            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00E09BDA
            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00E09BDD
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
            • String ID:
            • API String ID: 2014098862-0
            • Opcode ID: f7411ed56d605a7db9a815daecbf15d46961300adc22b8c26685a24161c67e98
            • Instruction ID: 98960c1e240c8457bcbaff1c7c8e9d1b9c713fa48168eeb6886c4b0bfbbd893d
            • Opcode Fuzzy Hash: f7411ed56d605a7db9a815daecbf15d46961300adc22b8c26685a24161c67e98
            • Instruction Fuzzy Hash: C711CE71950618BEF6106F61EC8EFAA3E6DEB4C761F100425F244BB0E1C9F35C909AA4
            Function 00E08E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00E08A84,00000B00,?,?), ref: 00E08E0C
            • HeapAlloc.KERNEL32(00000000,?,00E08A84,00000B00,?,?), ref: 00E08E13
            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E08A84,00000B00,?,?), ref: 00E08E28
            • GetCurrentProcess.KERNEL32(?,00000000,?,00E08A84,00000B00,?,?), ref: 00E08E30
            • DuplicateHandle.KERNEL32(00000000,?,00E08A84,00000B00,?,?), ref: 00E08E33
            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00E08A84,00000B00,?,?), ref: 00E08E43
            • GetCurrentProcess.KERNEL32(00E08A84,00000000,?,00E08A84,00000B00,?,?), ref: 00E08E4B
            • DuplicateHandle.KERNEL32(00000000,?,00E08A84,00000B00,?,?), ref: 00E08E4E
            • CreateThread.KERNEL32(00000000,00000000,00E08E74,00000000,00000000,00000000), ref: 00E08E68
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
            • String ID:
            • API String ID: 1957940570-0
            • Opcode ID: c1f926539610bb60f509e5b11ffaf258947966ad95cc90cd2af4e96b94b3939f
            • Instruction ID: b4cc428c1581939e6297dbd71799faeda26287b4f5398ee89970c55e554055dc
            • Opcode Fuzzy Hash: c1f926539610bb60f509e5b11ffaf258947966ad95cc90cd2af4e96b94b3939f
            • Instruction Fuzzy Hash: EC01AC75641308FFE610AB65EC4DF573B6CEB89711F014421FA05EB1A2CA71D8049A20
            Function 00E29A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E07652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E0758C,80070057,?,?,?,00E0799D), ref: 00E0766F
              • Part of subcall function 00E07652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E0758C,80070057,?,?), ref: 00E0768A
              • Part of subcall function 00E07652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E0758C,80070057,?,?), ref: 00E07698
              • Part of subcall function 00E07652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E0758C,80070057,?), ref: 00E076A8
            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00E29B1B
            • _memset.LIBCMT ref: 00E29B28
            • _memset.LIBCMT ref: 00E29C6B
            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00E29C97
            • CoTaskMemFree.OLE32(?), ref: 00E29CA2
            Strings
            • NULL Pointer assignment, xrefs: 00E29CF0
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
            • String ID: NULL Pointer assignment
            • API String ID: 1300414916-2785691316
            • Opcode ID: cdfffe1111f191c394b1aaa23ab75de4fba3dc4fba7a4e4662669653d5242113
            • Instruction ID: 2309f105b874dc5c977226efce21c872b22d0c7c03fb409a347cc54cde0b4cfb
            • Opcode Fuzzy Hash: cdfffe1111f191c394b1aaa23ab75de4fba3dc4fba7a4e4662669653d5242113
            • Instruction Fuzzy Hash: 8B912871D00229EBDB10DFA5EC85ADEBBB8EF08710F20515AF519B7281DB716A44CFA0
            Function 00E36FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00E37093
            • SendMessageW.USER32(?,00001036,00000000,?), ref: 00E370A7
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00E370C1
            • _wcscat.LIBCMT ref: 00E3711C
            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00E37133
            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00E37161
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSend$Window_wcscat
            • String ID: SysListView32
            • API String ID: 307300125-78025650
            • Opcode ID: fe3a2258f8d748fe1a12997d795f423fc3016c2e7da6ef416e4f306da0a46b7a
            • Instruction ID: 54cec7f574509844df012aa0a95f397c6443b73b2e3514063a417bb1551c220d
            • Opcode Fuzzy Hash: fe3a2258f8d748fe1a12997d795f423fc3016c2e7da6ef416e4f306da0a46b7a
            • Instruction Fuzzy Hash: 7B418271A04308AFDB259F64CC89BEE7BE8EF08354F10156AF584B7191D6719D84CB60
            Function 00E2EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E13E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00E13EB6
              • Part of subcall function 00E13E91: Process32FirstW.KERNEL32(00000000,?), ref: 00E13EC4
              • Part of subcall function 00E13E91: CloseHandle.KERNEL32(00000000), ref: 00E13F8E
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E2ECB8
            • GetLastError.KERNEL32 ref: 00E2ECCB
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E2ECFA
            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00E2ED77
            • GetLastError.KERNEL32(00000000), ref: 00E2ED82
            • CloseHandle.KERNEL32(00000000), ref: 00E2EDB7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
            • String ID: SeDebugPrivilege
            • API String ID: 2533919879-2896544425
            • Opcode ID: db2a20d8c9df0f8866679ff7f616120ce68021786740ff69144ad7aeb04d7891
            • Instruction ID: 4522f079f5eea854ba12613aabf48cca39bbaa38251a6c61889417d18651d851
            • Opcode Fuzzy Hash: db2a20d8c9df0f8866679ff7f616120ce68021786740ff69144ad7aeb04d7891
            • Instruction Fuzzy Hash: 8341BF716002219FDB14EF24DC95FAEB7A1EF40714F08845DF946AB3D2DB75A848CBA2
            Function 00E13226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000000,00007F03), ref: 00E132C5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: IconLoad
            • String ID: blank$info$question$stop$warning
            • API String ID: 2457776203-404129466
            • Opcode ID: 1747d0742f818442a3d9ae8295185a715a0ba63c26469a807adc3c66860a1016
            • Instruction ID: fb4e5d893253b8b981f856318e65a83bb03a3ada90bdf0140cf4d263e81994e9
            • Opcode Fuzzy Hash: 1747d0742f818442a3d9ae8295185a715a0ba63c26469a807adc3c66860a1016
            • Instruction Fuzzy Hash: 74112B316493477BA7056B65EC42CEAB79CDF19374F20103BF500B6291D6725F8089B5
            Function 00E14534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00E1454E
            • LoadStringW.USER32(00000000), ref: 00E14555
            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00E1456B
            • LoadStringW.USER32(00000000), ref: 00E14572
            • _wprintf.LIBCMT ref: 00E14598
            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E145B6
            Strings
            • %s (%d) : ==> %s: %s %s, xrefs: 00E14593
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: HandleLoadModuleString$Message_wprintf
            • String ID: %s (%d) : ==> %s: %s %s
            • API String ID: 3648134473-3128320259
            • Opcode ID: 5440f1ce22b0115dc875190d53e9eb8acdbaacd7d7e6d6b71492ef12ad504220
            • Instruction ID: 8a17fed872f4cb1552118793af0491fd4382405109f91e9c46218d7edb9fbec6
            • Opcode Fuzzy Hash: 5440f1ce22b0115dc875190d53e9eb8acdbaacd7d7e6d6b71492ef12ad504220
            • Instruction Fuzzy Hash: 91014FF290020CBFE750A7A59D8EEE67B6CE708301F0005A5FB45F2152EA749E898B71
            Function 00E3D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB2612: GetWindowLongW.USER32(?,000000EB), ref: 00DB2623
            • GetSystemMetrics.USER32(0000000F), ref: 00E3D78A
            • GetSystemMetrics.USER32(0000000F), ref: 00E3D7AA
            • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00E3D9E5
            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00E3DA03
            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00E3DA24
            • ShowWindow.USER32(00000003,00000000), ref: 00E3DA43
            • InvalidateRect.USER32(?,00000000,00000001), ref: 00E3DA68
            • DefDlgProcW.USER32(?,00000005,?,?), ref: 00E3DA8B
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
            • String ID:
            • API String ID: 1211466189-0
            • Opcode ID: 60229af3d4c11b1f7df4b24a108543f9ef6ea4f5dd77c9bcb0f20c6f950d717c
            • Instruction ID: 75810c1782b6a7eece3d2c537b7686c1a5fb7aefc6d4566c6575789c3520176b
            • Opcode Fuzzy Hash: 60229af3d4c11b1f7df4b24a108543f9ef6ea4f5dd77c9bcb0f20c6f950d717c
            • Instruction Fuzzy Hash: 66B1DA31A08219EFDF18CF69DA897BD7BB1FF44705F089069EC48AB295D730A954CB90
            Function 00DB2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00DEC417,00000004,00000000,00000000,00000000), ref: 00DB2ACF
            • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00DEC417,00000004,00000000,00000000,00000000,000000FF), ref: 00DB2B17
            • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00DEC417,00000004,00000000,00000000,00000000), ref: 00DEC46A
            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00DEC417,00000004,00000000,00000000,00000000), ref: 00DEC4D6
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ShowWindow
            • String ID:
            • API String ID: 1268545403-0
            • Opcode ID: 712d5f593d48a1881d24e4db5c772e369074081b1bf9262fadd425a0e6e03e26
            • Instruction ID: b03d4dd51d1b1807d3c082e664eef70d780c0ca2766919815d332964c2d37bd6
            • Opcode Fuzzy Hash: 712d5f593d48a1881d24e4db5c772e369074081b1bf9262fadd425a0e6e03e26
            • Instruction Fuzzy Hash: BA412C336146C0DED739AB2A8C9CBFB7BA1AB85314F6C841DE087965A0C635E846D731
            Function 00E17368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(?,000001F5), ref: 00E1737F
              • Part of subcall function 00DD0FF6: std::exception::exception.LIBCMT ref: 00DD102C
              • Part of subcall function 00DD0FF6: __CxxThrowException@8.LIBCMT ref: 00DD1041
            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00E173B6
            • EnterCriticalSection.KERNEL32(?), ref: 00E173D2
            • _memmove.LIBCMT ref: 00E17420
            • _memmove.LIBCMT ref: 00E1743D
            • LeaveCriticalSection.KERNEL32(?), ref: 00E1744C
            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00E17461
            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00E17480
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
            • String ID:
            • API String ID: 256516436-0
            • Opcode ID: 28c82821717fb92bce4fbf714cb5a18681135972da74de12361d5d88b23565df
            • Instruction ID: e6d78b2bfca3d33c63f0ad441573e15737c392afc477918c4d7070afc8097afa
            • Opcode Fuzzy Hash: 28c82821717fb92bce4fbf714cb5a18681135972da74de12361d5d88b23565df
            • Instruction Fuzzy Hash: AB317035904205EFCF10EFA5DC89AAF7B78EF44710F1441A6F904AB256DB709A58CBB0
            Function 00E36442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 00E3645A
            • GetDC.USER32(00000000), ref: 00E36462
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E3646D
            • ReleaseDC.USER32(00000000,00000000), ref: 00E36479
            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00E364B5
            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E364C6
            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00E39299,?,?,000000FF,00000000,?,000000FF,?), ref: 00E36500
            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E36520
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
            • String ID:
            • API String ID: 3864802216-0
            • Opcode ID: 504d0cf2897c248332552bd837b57b434aee47052754393674170371928a0897
            • Instruction ID: 39dec4447ce1a7dfe159b8da1349cebd60c0e67759931b856d3a07881c3451cb
            • Opcode Fuzzy Hash: 504d0cf2897c248332552bd837b57b434aee47052754393674170371928a0897
            • Instruction Fuzzy Hash: 6B319F72601214BFEF108F61CC8AFEA3FA9EF09765F044065FE08AA191C7759C41CBA0
            Function 00E0C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: d748690875740b1d105ec5dde31389119aa13b805db55b0e9378a6a30a28f3c7
            • Instruction ID: 292f1ec54ca908c301eedc1ae724337f75ab4d40d854321f73336197877fb64e
            • Opcode Fuzzy Hash: d748690875740b1d105ec5dde31389119aa13b805db55b0e9378a6a30a28f3c7
            • Instruction Fuzzy Hash: B821C275A01205BBD210BB219C42FAB27ADEF20398B682125FE05B63C3E751DE51C1B6
            Function 00E1ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB9997: __itow.LIBCMT ref: 00DB99C2
              • Part of subcall function 00DB9997: __swprintf.LIBCMT ref: 00DB9A0C
              • Part of subcall function 00DCFEC6: _wcscpy.LIBCMT ref: 00DCFEE9
            • _wcstok.LIBCMT ref: 00E1EEFF
            • _wcscpy.LIBCMT ref: 00E1EF8E
            • _memset.LIBCMT ref: 00E1EFC1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
            • String ID: X
            • API String ID: 774024439-3081909835
            • Opcode ID: 54a7573374c963c2d9af1636f3a11e2853b15764e2f633f5481125305ce37aff
            • Instruction ID: ab05049abbad9fdd088cf41e59b0cc940e3ae0cd98616fdbbcb6ad35e59a6e3b
            • Opcode Fuzzy Hash: 54a7573374c963c2d9af1636f3a11e2853b15764e2f633f5481125305ce37aff
            • Instruction Fuzzy Hash: 5FC17171608340DFC714EF24D895A9AB7E4FF84314F00492DF89AA72A2DB30ED45CBA2
            Function 00E26E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
            Download Yara Rule
            APIs
            • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00E26F14
            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00E26F35
            • WSAGetLastError.WSOCK32(00000000), ref: 00E26F48
            • htons.WSOCK32(?,?,?,00000000,?), ref: 00E26FFE
            • inet_ntoa.WSOCK32(?), ref: 00E26FBB
              • Part of subcall function 00E0AE14: _strlen.LIBCMT ref: 00E0AE1E
              • Part of subcall function 00E0AE14: _memmove.LIBCMT ref: 00E0AE40
            • _strlen.LIBCMT ref: 00E27058
            • _memmove.LIBCMT ref: 00E270C1
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
            • String ID:
            • API String ID: 3619996494-0
            • Opcode ID: 8052f9c6a2d55faf49f75fc43aba4663c3cfcf8b049a13164721fdd16dc7cb1b
            • Instruction ID: 8d4bb59d76d161a58e161038864df2a6cd6bc9bd0443ece6b1d07ef1bab6b9e9
            • Opcode Fuzzy Hash: 8052f9c6a2d55faf49f75fc43aba4663c3cfcf8b049a13164721fdd16dc7cb1b
            • Instruction Fuzzy Hash: 3681E171508310EBC710EF24DC95FABB7E8EF84718F105A1DF556AB2A2DA70AD04C7A2
            Function 00DB1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f0a11176c723096773e3a6828a863a3f942704f8b9f183bfe894f9f19457db35
            • Instruction ID: 39397a64dcac748fb692887708eab101b4660acb17adb2514ca594800e08e892
            • Opcode Fuzzy Hash: f0a11176c723096773e3a6828a863a3f942704f8b9f183bfe894f9f19457db35
            • Instruction Fuzzy Hash: 30715734900109EFCB149F99CC99AEFBBB9FF85320F548159E916AA251C730AA51CFB4
            Function 00E3B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
            Download Yara Rule
            APIs
            • IsWindow.USER32(00FC4B58), ref: 00E3B6A5
            • IsWindowEnabled.USER32(00FC4B58), ref: 00E3B6B1
            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00E3B795
            • SendMessageW.USER32(00FC4B58,000000B0,?,?), ref: 00E3B7CC
            • IsDlgButtonChecked.USER32(?,?), ref: 00E3B809
            • GetWindowLongW.USER32(00FC4B58,000000EC), ref: 00E3B82B
            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00E3B843
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
            • String ID:
            • API String ID: 4072528602-0
            • Opcode ID: fad6c89547e6db12909655c793c5d1be80f7f13dee3146e36b7fd7cf3a920add
            • Instruction ID: 2e5a7a1478b494dfb9dd44ea13f10c736f37e9ffe237256b295c6c0e417f2400
            • Opcode Fuzzy Hash: fad6c89547e6db12909655c793c5d1be80f7f13dee3146e36b7fd7cf3a920add
            • Instruction Fuzzy Hash: 8071A034A00204AFDB24DF65C89AFBA7FB9EF89304F14515AEA47B7262C731A945CB50
            Function 00E2F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00E2F75C
            • _memset.LIBCMT ref: 00E2F825
            • ShellExecuteExW.SHELL32(?), ref: 00E2F86A
              • Part of subcall function 00DB9997: __itow.LIBCMT ref: 00DB99C2
              • Part of subcall function 00DB9997: __swprintf.LIBCMT ref: 00DB9A0C
              • Part of subcall function 00DCFEC6: _wcscpy.LIBCMT ref: 00DCFEE9
            • GetProcessId.KERNEL32(00000000), ref: 00E2F8E1
            • CloseHandle.KERNEL32(00000000), ref: 00E2F910
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
            • String ID: @
            • API String ID: 3522835683-2766056989
            • Opcode ID: 1a4263cd6cc599bdf564f1edeedc112144c66a0a3a2d8d29eb0a3de07d947a9d
            • Instruction ID: d0f9071c3b726b5b971f88325397cf333e358e3ccbeb45d27110184006c807ce
            • Opcode Fuzzy Hash: 1a4263cd6cc599bdf564f1edeedc112144c66a0a3a2d8d29eb0a3de07d947a9d
            • Instruction Fuzzy Hash: 44616B75A00629DFCF18EF64D591AAEFBB5FF48310B148469E856BB351CB30AD40CBA0
            Function 00E1145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(?), ref: 00E1149C
            • GetKeyboardState.USER32(?), ref: 00E114B1
            • SetKeyboardState.USER32(?), ref: 00E11512
            • PostMessageW.USER32(?,00000101,00000010,?), ref: 00E11540
            • PostMessageW.USER32(?,00000101,00000011,?), ref: 00E1155F
            • PostMessageW.USER32(?,00000101,00000012,?), ref: 00E115A5
            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00E115C8
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: 271dfeaa3bd70abd63366499f32f7d79ca76590abdd27367aa31f8d5bd49072a
            • Instruction ID: d9bb7cb1995b13e75044b7b85bb2824a90fc9332030c83c237dadd5dc84f72e9
            • Opcode Fuzzy Hash: 271dfeaa3bd70abd63366499f32f7d79ca76590abdd27367aa31f8d5bd49072a
            • Instruction Fuzzy Hash: A751E2B0A047D53EFB3246748C45BFABEAA5B46308F0894C9E2D6668D2D2D9ECC4D750
            Function 00E11276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(00000000), ref: 00E112B5
            • GetKeyboardState.USER32(?), ref: 00E112CA
            • SetKeyboardState.USER32(?), ref: 00E1132B
            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00E11357
            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00E11374
            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00E113B8
            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00E113D9
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: d9824bb11df12efb8dbb2a0d5cac8725af866921dc307ac53850c17ebe28a9e5
            • Instruction ID: 691b7972d8c9802f11a9ad89c2dcb130e453b7becbae140e6a5c89833d0ca41c
            • Opcode Fuzzy Hash: d9824bb11df12efb8dbb2a0d5cac8725af866921dc307ac53850c17ebe28a9e5
            • Instruction Fuzzy Hash: D751E3B09047D53DFB3282248C45BFABFA96B06308F0895C9E2E566CC2D394ACD8E751
            Function 00E1589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _wcsncpy$LocalTime
            • String ID:
            • API String ID: 2945705084-0
            • Opcode ID: 8e6225d4cbde9644a719c1a20847fd78802a7c3c0b4e7712f17347dbee4809af
            • Instruction ID: c3653e9b06093965066238f6a43e3d199d980f09b333f7326587ada50d41b204
            • Opcode Fuzzy Hash: 8e6225d4cbde9644a719c1a20847fd78802a7c3c0b4e7712f17347dbee4809af
            • Instruction Fuzzy Hash: 804180B6C20518B6CB10EBB48C869CFB7A8DF44310F509967F918E3221E634E754C7BA
            Function 00E0DA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
            Download Yara Rule
            APIs
            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E0DAC5
            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00E0DAFB
            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00E0DB0C
            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00E0DB8E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ErrorMode$AddressCreateInstanceProc
            • String ID: ,,$DllGetClassObject
            • API String ID: 753597075-2867008933
            • Opcode ID: e93830f658c6f4fab8ea6b03fcd8dab63c7a552ccf2d60e639d4d0ff9f987647
            • Instruction ID: ba355c5c93e804696880d558324e01f64d973f4af592a7add984aba8029dcabd
            • Opcode Fuzzy Hash: e93830f658c6f4fab8ea6b03fcd8dab63c7a552ccf2d60e639d4d0ff9f987647
            • Instruction Fuzzy Hash: 91418EB1604208EFDB15CF95CC84A9ABBB9EF44350F1590A9ED05AF286D7B1DD84CFA0
            Function 00E138AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E148AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E138D3,?), ref: 00E148C7
              • Part of subcall function 00E148AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E138D3,?), ref: 00E148E0
            • lstrcmpiW.KERNEL32(?,?), ref: 00E138F3
            • _wcscmp.LIBCMT ref: 00E1390F
            • MoveFileW.KERNEL32(?,?), ref: 00E13927
            • _wcscat.LIBCMT ref: 00E1396F
            • SHFileOperationW.SHELL32(?), ref: 00E139DB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
            • String ID: \*.*
            • API String ID: 1377345388-1173974218
            • Opcode ID: eee7cef9c5c5984dac5d9f1e509da8d8ed37aebb07aabdf87cd43b03badfa57e
            • Instruction ID: 96c702e07a2fd6800ae365810051130596c2845d8824ad5f82bb877609f06435
            • Opcode Fuzzy Hash: eee7cef9c5c5984dac5d9f1e509da8d8ed37aebb07aabdf87cd43b03badfa57e
            • Instruction Fuzzy Hash: 5E4160B15083849EC751EF74D485AEFB7E8EF88340F14192EF49AE3251EA74D688C762
            Function 00E37500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00E37519
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E375C0
            • IsMenu.USER32(?), ref: 00E375D8
            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E37620
            • DrawMenuBar.USER32 ref: 00E37633
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Menu$Item$DrawInfoInsert_memset
            • String ID: 0
            • API String ID: 3866635326-4108050209
            • Opcode ID: c2c52438bdf77fdfd1d99baddcaa2aad6e564d1529c9f1a0a895c938afb9fe3f
            • Instruction ID: c854f1e782cf462bb8dcdca9a9d8ccc7da3080fc90053df18a60b95a3265acbb
            • Opcode Fuzzy Hash: c2c52438bdf77fdfd1d99baddcaa2aad6e564d1529c9f1a0a895c938afb9fe3f
            • Instruction Fuzzy Hash: 394159B5A04608EFDB20CF54D889E9ABBF8FB04318F049029ED55B7261D730AD44CFA0
            Function 00E3122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
            Download Yara Rule
            APIs
            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00E3125C
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E31286
            • FreeLibrary.KERNEL32(00000000), ref: 00E3133D
              • Part of subcall function 00E3122D: RegCloseKey.ADVAPI32(?), ref: 00E312A3
              • Part of subcall function 00E3122D: FreeLibrary.KERNEL32(?), ref: 00E312F5
              • Part of subcall function 00E3122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00E31318
            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00E312E0
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: EnumFreeLibrary$CloseDeleteOpen
            • String ID:
            • API String ID: 395352322-0
            • Opcode ID: e2a7a1c960f18b89b6d039daff8e280577b2f445d1a62f12e3464b045a9b0f00
            • Instruction ID: 30fd7aaa46a5e38f0d16f98033d32c41d622effeebc57e336ef28b53be118dea
            • Opcode Fuzzy Hash: e2a7a1c960f18b89b6d039daff8e280577b2f445d1a62f12e3464b045a9b0f00
            • Instruction Fuzzy Hash: C3312BB1D0111DBFDB149B95EC89AFFBBBCEF08304F0011A9E501F2151EA749E49DAA0
            Function 00E3653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00E3655B
            • GetWindowLongW.USER32(00FC4B58,000000F0), ref: 00E3658E
            • GetWindowLongW.USER32(00FC4B58,000000F0), ref: 00E365C3
            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00E365F5
            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00E3661F
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00E36630
            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E3664A
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: LongWindow$MessageSend
            • String ID:
            • API String ID: 2178440468-0
            • Opcode ID: 2a0d4163c788b3b78ebfe039926888ad32fef7dfe25c5d2972c7c655143fb0e8
            • Instruction ID: ebe8e7f7c08bb71aef254f5ff07865f39aef61edcd5071b933115f79d457cbf7
            • Opcode Fuzzy Hash: 2a0d4163c788b3b78ebfe039926888ad32fef7dfe25c5d2972c7c655143fb0e8
            • Instruction Fuzzy Hash: 80310330604114BFEB21CF2ADC89F553BE1FB4A358F1951A8F505AB2B5CB61AC88DB81
            Function 00E26486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E280A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E280CB
            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00E264D9
            • WSAGetLastError.WSOCK32(00000000), ref: 00E264E8
            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00E26521
            • connect.WSOCK32(00000000,?,00000010), ref: 00E2652A
            • WSAGetLastError.WSOCK32 ref: 00E26534
            • closesocket.WSOCK32(00000000), ref: 00E2655D
            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00E26576
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
            • String ID:
            • API String ID: 910771015-0
            • Opcode ID: 403b321bb8f46e1f739ac7165a67a1c134c69fe1ac37b70292f00ac1f2085f1c
            • Instruction ID: c48a0bfc3abcc61c82a70214ca9f1d10a21a93f47a490847d9fd52da814fd35c
            • Opcode Fuzzy Hash: 403b321bb8f46e1f739ac7165a67a1c134c69fe1ac37b70292f00ac1f2085f1c
            • Instruction Fuzzy Hash: 4C31B331600128AFDB14AF24DC89FBE7BA8EB44714F004169F946B7291CB74AD48CB61
            Function 00E0E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E0E0FA
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E0E120
            • SysAllocString.OLEAUT32(00000000), ref: 00E0E123
            • SysAllocString.OLEAUT32 ref: 00E0E144
            • SysFreeString.OLEAUT32 ref: 00E0E14D
            • StringFromGUID2.OLE32(?,?,00000028), ref: 00E0E167
            • SysAllocString.OLEAUT32(?), ref: 00E0E175
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
            • String ID:
            • API String ID: 3761583154-0
            • Opcode ID: 5fadf7a2b235d597fefd4d1b3d29807f927d9e65daef889157800a7c34274be6
            • Instruction ID: 8d7266a22445dbb05e9967e288924c941217f62a61fe358987e6cd2c9bf44247
            • Opcode Fuzzy Hash: 5fadf7a2b235d597fefd4d1b3d29807f927d9e65daef889157800a7c34274be6
            • Instruction Fuzzy Hash: 65218335605108AFDB10AFB9DC88DAB7BECEF09760B108535F955EB3A0DA70DC858B64
            Function 00E0FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
            • API String ID: 1038674560-2734436370
            • Opcode ID: 0c04085ae3a94c8e61b03abb69d0e768675a86de6044a0113f323bc3c08b0652
            • Instruction ID: a9484ee32f1fa741a1a1ff368aed9c44dd8f3d87d43bf13fd81c982cd2c37e2a
            • Opcode Fuzzy Hash: 0c04085ae3a94c8e61b03abb69d0e768675a86de6044a0113f323bc3c08b0652
            • Instruction Fuzzy Hash: C2214832204211A6E330F624EC13EE7B398EF51344F10503AF886A65C1EB509DE196B9
            Function 00E3783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DB1D73
              • Part of subcall function 00DB1D35: GetStockObject.GDI32(00000011), ref: 00DB1D87
              • Part of subcall function 00DB1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DB1D91
            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00E378A1
            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00E378AE
            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E378B9
            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00E378C8
            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00E378D4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSend$CreateObjectStockWindow
            • String ID: Msctls_Progress32
            • API String ID: 1025951953-3636473452
            • Opcode ID: 118031d6e110029243692cb5589cc86084b1ab0bdd3715f7677e84fafb0c6994
            • Instruction ID: 30496761b1204f66e3712df19233bdb3a932d0d85fd0583be49f0e1ed2936e43
            • Opcode Fuzzy Hash: 118031d6e110029243692cb5589cc86084b1ab0bdd3715f7677e84fafb0c6994
            • Instruction Fuzzy Hash: 561190B2550219BFEF159F60CC89EE77F6DEF08798F015115FA48A2090C772AC21DBA0
            Function 00DD41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00DD4292,?), ref: 00DD41E3
            • GetProcAddress.KERNEL32(00000000), ref: 00DD41EA
            • EncodePointer.KERNEL32(00000000), ref: 00DD41F6
            • DecodePointer.KERNEL32(00000001,00DD4292,?), ref: 00DD4213
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
            • String ID: RoInitialize$combase.dll
            • API String ID: 3489934621-340411864
            • Opcode ID: 6b72db4b763becfb8f44c5606bf95539e36107874e81ad1d0d7e8e2eb298b788
            • Instruction ID: f24ede9da00f0cb9802cc82f02538e3f38dd6fc1f36f93fa8f1983d75283d7ce
            • Opcode Fuzzy Hash: 6b72db4b763becfb8f44c5606bf95539e36107874e81ad1d0d7e8e2eb298b788
            • Instruction Fuzzy Hash: E7E0E5B0A91304AFEB20BBB2EC4DB043AA4AB20B02F904428F555F51E0DBB540DD8E10
            Function 00DD429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00DD41B8), ref: 00DD42B8
            • GetProcAddress.KERNEL32(00000000), ref: 00DD42BF
            • EncodePointer.KERNEL32(00000000), ref: 00DD42CA
            • DecodePointer.KERNEL32(00DD41B8), ref: 00DD42E5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
            • String ID: RoUninitialize$combase.dll
            • API String ID: 3489934621-2819208100
            • Opcode ID: df6441423caf998d258be1fbc908ceb1c3c5a2c738adc6dc2891c32a53d3799d
            • Instruction ID: 16321e724a6597f027f71f5b43904aefd8a234c6a7044cc120f7fa9e485f0934
            • Opcode Fuzzy Hash: df6441423caf998d258be1fbc908ceb1c3c5a2c738adc6dc2891c32a53d3799d
            • Instruction Fuzzy Hash: A2E09AB8A82315DFDB10AB62FC0DB053EA4B714746F954039F105F11E0CB7545888A18
            Function 00E1675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _memmove$__itow__swprintf
            • String ID:
            • API String ID: 3253778849-0
            • Opcode ID: 9287289911a43088ddf975d8d22c8efdbbd197f9a859feec895e6f601d9d2497
            • Instruction ID: 9a904b53d91dfec7ade40341a4ad083348ea6e2d2082387cb3dd6391341b6781
            • Opcode Fuzzy Hash: 9287289911a43088ddf975d8d22c8efdbbd197f9a859feec895e6f601d9d2497
            • Instruction Fuzzy Hash: 80618C3050069AEBCF15FF60C892EFE77A8EF44308F044559F95A6B292DB34A985CB70
            Function 00E3046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB7F41: _memmove.LIBCMT ref: 00DB7F82
              • Part of subcall function 00E310A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E30038,?,?), ref: 00E310BC
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E30548
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E30588
            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00E305AB
            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00E305D4
            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E30617
            • RegCloseKey.ADVAPI32(00000000), ref: 00E30624
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
            • String ID:
            • API String ID: 4046560759-0
            • Opcode ID: 44b743b2c46f57d500c793112efe1cb97c8b3fc7daf6b692d3c2e25f51c2b448
            • Instruction ID: f5edfb5fe447b48303b0dfdb5d02e1adda341f99e882d97580febad0fc8b8088
            • Opcode Fuzzy Hash: 44b743b2c46f57d500c793112efe1cb97c8b3fc7daf6b692d3c2e25f51c2b448
            • Instruction Fuzzy Hash: 89514B31508240AFCB14EF64D899EAEBBE8FF88714F04495DF546A72A1DB31E904CB62
            Function 00E35A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
            Download Yara Rule
            APIs
            • GetMenu.USER32(?), ref: 00E35A82
            • GetMenuItemCount.USER32(00000000), ref: 00E35AB9
            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00E35AE1
            • GetMenuItemID.USER32(?,?), ref: 00E35B50
            • GetSubMenu.USER32(?,?), ref: 00E35B5E
            • PostMessageW.USER32(?,00000111,?,00000000), ref: 00E35BAF
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Menu$Item$CountMessagePostString
            • String ID:
            • API String ID: 650687236-0
            • Opcode ID: d93eb921b79b2a84fb3670ae34e8847f1f9839bd1b8bf37415baaba84a285440
            • Instruction ID: 30e7ebf4a03b8c398f4b2aee2274b12a536265f046c148310dd4ada07186b338
            • Opcode Fuzzy Hash: d93eb921b79b2a84fb3670ae34e8847f1f9839bd1b8bf37415baaba84a285440
            • Instruction Fuzzy Hash: AC515F36A00619EFCF15EF64C849AEEBBB4EF48310F105459E952B7351CB70AE41DBA0
            Function 00E0F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00E0F3F7
            • VariantClear.OLEAUT32(00000013), ref: 00E0F469
            • VariantClear.OLEAUT32(00000000), ref: 00E0F4C4
            • _memmove.LIBCMT ref: 00E0F4EE
            • VariantClear.OLEAUT32(?), ref: 00E0F53B
            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00E0F569
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Variant$Clear$ChangeInitType_memmove
            • String ID:
            • API String ID: 1101466143-0
            • Opcode ID: cd454cfeb54dc898569bcbdc7e4283fa9091a29173aa545e04e14cc2602f3d89
            • Instruction ID: 93afcba10267e82c1f2e30d4500eebfebe1330c30d7ffb63a965dab02d619661
            • Opcode Fuzzy Hash: cd454cfeb54dc898569bcbdc7e4283fa9091a29173aa545e04e14cc2602f3d89
            • Instruction Fuzzy Hash: 69516BB5A00209EFCB24CF58D884AAAB7B8FF4C314B158169ED59EB340D730E955CBA0
            Function 00E126F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00E12747
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E12792
            • IsMenu.USER32(00000000), ref: 00E127B2
            • CreatePopupMenu.USER32 ref: 00E127E6
            • GetMenuItemCount.USER32(000000FF), ref: 00E12844
            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00E12875
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
            • String ID:
            • API String ID: 3311875123-0
            • Opcode ID: 035ad38f139e32063f4e32b96a224780d55aea15a6fb6a9d3d7fcd9dae165498
            • Instruction ID: 74313d7559e80666079acdf060e5706af18e46aed3f8a6be5dedf754d8ebc0de
            • Opcode Fuzzy Hash: 035ad38f139e32063f4e32b96a224780d55aea15a6fb6a9d3d7fcd9dae165498
            • Instruction Fuzzy Hash: 19519270900249EFDF29CF68DC88AEEBBF5AF44318F10515DE621BB291D77099A4CB51
            Function 00DB1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB2612: GetWindowLongW.USER32(?,000000EB), ref: 00DB2623
            • BeginPaint.USER32(?,?,?,?,?,?), ref: 00DB179A
            • GetWindowRect.USER32(?,?), ref: 00DB17FE
            • ScreenToClient.USER32(?,?), ref: 00DB181B
            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00DB182C
            • EndPaint.USER32(?,?), ref: 00DB1876
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: PaintWindow$BeginClientLongRectScreenViewport
            • String ID:
            • API String ID: 1827037458-0
            • Opcode ID: e517a36ed2142e226eb1c17383cba3dc48edd4f50e4edfd07043ded16125f0c9
            • Instruction ID: ef08b83b9bb34fc7f019990e0e0bc53d22a7cc112fbf34482fbfb0a3bae03335
            • Opcode Fuzzy Hash: e517a36ed2142e226eb1c17383cba3dc48edd4f50e4edfd07043ded16125f0c9
            • Instruction Fuzzy Hash: 0C41BF34500600EFD710DF26DC99FBA7BE8FB45724F140629F599972A1C7319849DB72
            Function 00E3B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(00E767B0,00000000,00FC4B58,?,?,00E767B0,?,00E3B862,?,?), ref: 00E3B9CC
            • EnableWindow.USER32(00000000,00000000), ref: 00E3B9F0
            • ShowWindow.USER32(00E767B0,00000000,00FC4B58,?,?,00E767B0,?,00E3B862,?,?), ref: 00E3BA50
            • ShowWindow.USER32(00000000,00000004,?,00E3B862,?,?), ref: 00E3BA62
            • EnableWindow.USER32(00000000,00000001), ref: 00E3BA86
            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00E3BAA9
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Window$Show$Enable$MessageSend
            • String ID:
            • API String ID: 642888154-0
            • Opcode ID: e049fbdee6e2342fc72db1b558f941579b71d299d08b0ad69fc98714d93f7561
            • Instruction ID: d28946f45c1380056a92d2b24209559e1596e73c6be54b0a77c76b89f442e0d2
            • Opcode Fuzzy Hash: e049fbdee6e2342fc72db1b558f941579b71d299d08b0ad69fc98714d93f7561
            • Instruction Fuzzy Hash: 2A415E30600645AFDB22CF25C48DBA57FE0BF45319F1852B9EB5AAF2A2C731E845CB51
            Function 00E273B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(?,?,?,?,?,?,00E25134,?,?,00000000,00000001), ref: 00E273BF
              • Part of subcall function 00E23C94: GetWindowRect.USER32(?,?), ref: 00E23CA7
            • GetDesktopWindow.USER32 ref: 00E273E9
            • GetWindowRect.USER32(00000000), ref: 00E273F0
            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00E27422
              • Part of subcall function 00E154E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E1555E
            • GetCursorPos.USER32(?), ref: 00E2744E
            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00E274AC
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
            • String ID:
            • API String ID: 4137160315-0
            • Opcode ID: ad8ee566f83dfc7e54c98cb8776c0cf2a1955001311ee45f8059746ae18ef816
            • Instruction ID: 37884d5cb832c433ad385757d2c90b8a57d5bb7753f4fa280e2680a19570c6e0
            • Opcode Fuzzy Hash: ad8ee566f83dfc7e54c98cb8776c0cf2a1955001311ee45f8059746ae18ef816
            • Instruction Fuzzy Hash: F831B272508319AFD720EF54D849E9BBBE9FF88314F10191AF599A7191CA30E948CB92
            Function 00E08D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E085F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E08608
              • Part of subcall function 00E085F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E08612
              • Part of subcall function 00E085F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E08621
              • Part of subcall function 00E085F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E08628
              • Part of subcall function 00E085F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E0863E
            • GetLengthSid.ADVAPI32(?,00000000,00E08977), ref: 00E08DAC
            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E08DB8
            • HeapAlloc.KERNEL32(00000000), ref: 00E08DBF
            • CopySid.ADVAPI32(00000000,00000000,?), ref: 00E08DD8
            • GetProcessHeap.KERNEL32(00000000,00000000,00E08977), ref: 00E08DEC
            • HeapFree.KERNEL32(00000000), ref: 00E08DF3
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
            • String ID:
            • API String ID: 3008561057-0
            • Opcode ID: 18bdf9878add844580a546bdd1708331871432847ee56f27ac7b2929f3c7ba84
            • Instruction ID: e5978af51911a5b32a58c505640867ba15095752d078361992dcf0364b96838b
            • Opcode Fuzzy Hash: 18bdf9878add844580a546bdd1708331871432847ee56f27ac7b2929f3c7ba84
            • Instruction Fuzzy Hash: A811E131901608FFDB149F65DD08BAE7BBDEF50319F104229E885B3291CB329D88DB60
            Function 00E08AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00E08B2A
            • OpenProcessToken.ADVAPI32(00000000), ref: 00E08B31
            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00E08B40
            • CloseHandle.KERNEL32(00000004), ref: 00E08B4B
            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E08B7A
            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00E08B8E
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
            • String ID:
            • API String ID: 1413079979-0
            • Opcode ID: eb70dcc556737d48ea91fad3717093cf6bf08fe01604c6dee9eaff4fbf636976
            • Instruction ID: 97446293be07aaa94bfaa9d10f69304a73c8ac98bea15081fcf80e21a82a8e62
            • Opcode Fuzzy Hash: eb70dcc556737d48ea91fad3717093cf6bf08fe01604c6dee9eaff4fbf636976
            • Instruction Fuzzy Hash: 1D114AB650120DEFDF018FA9DE49FDA7BA9EB08308F045065FA44B21A0C7718D64DB60
            Function 00E3C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DB134D
              • Part of subcall function 00DB12F3: SelectObject.GDI32(?,00000000), ref: 00DB135C
              • Part of subcall function 00DB12F3: BeginPath.GDI32(?), ref: 00DB1373
              • Part of subcall function 00DB12F3: SelectObject.GDI32(?,00000000), ref: 00DB139C
            • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00E3C1C4
            • LineTo.GDI32(00000000,00000003,?), ref: 00E3C1D8
            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E3C1E6
            • LineTo.GDI32(00000000,00000000,?), ref: 00E3C1F6
            • EndPath.GDI32(00000000), ref: 00E3C206
            • StrokePath.GDI32(00000000), ref: 00E3C216
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
            • String ID:
            • API String ID: 43455801-0
            • Opcode ID: 3a4a56005e9b9102e826ed9704f14e4f668464e58a2a66c0d0b28441ed0adedd
            • Instruction ID: aa66e7270731d1c600a337c3b18199b9687ddfc3ab646bc5cc465ee9d4dde793
            • Opcode Fuzzy Hash: 3a4a56005e9b9102e826ed9704f14e4f668464e58a2a66c0d0b28441ed0adedd
            • Instruction Fuzzy Hash: C2110C7640010DBFEB119F95EC88EDA7FADEB04354F048061F9196A172C7719D59DFA0
            Function 00DD03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
            Download Yara Rule
            APIs
            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DD03D3
            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00DD03DB
            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DD03E6
            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DD03F1
            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00DD03F9
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DD0401
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Virtual
            • String ID:
            • API String ID: 4278518827-0
            • Opcode ID: e2ba3c1c738273a2ae320eeb8133a05d1570f3891a1d45ebb43391bde5746c0c
            • Instruction ID: a95930b73676a4e027b5d35dbcd59c12110def406f3078c5855b024847991a64
            • Opcode Fuzzy Hash: e2ba3c1c738273a2ae320eeb8133a05d1570f3891a1d45ebb43391bde5746c0c
            • Instruction Fuzzy Hash: 4A0148B09017597DE3008F5A8C85A52FEA8FF19354F00411BE15847941C7B5A868CBE5
            Function 00E1568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00E1569B
            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00E156B1
            • GetWindowThreadProcessId.USER32(?,?), ref: 00E156C0
            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E156CF
            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E156D9
            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E156E0
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
            • String ID:
            • API String ID: 839392675-0
            • Opcode ID: 3a962ecb6d4b63f5072427219527ef6823d675a50bf99ddec28da0f3fb6c69f0
            • Instruction ID: 99d8a4a4a9cc72c1287de603e8fd3852ea192a0278dbdf5969696c3f17b08aa3
            • Opcode Fuzzy Hash: 3a962ecb6d4b63f5072427219527ef6823d675a50bf99ddec28da0f3fb6c69f0
            • Instruction Fuzzy Hash: 76F01D32A4155CBFE7215BA3AC0EEEB7E7CEBC6B11F000169FA05E106197A15A0986F5
            Function 00E174D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(?,?), ref: 00E174E5
            • EnterCriticalSection.KERNEL32(?,?,00DC1044,?,?), ref: 00E174F6
            • TerminateThread.KERNEL32(00000000,000001F6,?,00DC1044,?,?), ref: 00E17503
            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00DC1044,?,?), ref: 00E17510
              • Part of subcall function 00E16ED7: CloseHandle.KERNEL32(00000000,?,00E1751D,?,00DC1044,?,?), ref: 00E16EE1
            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00E17523
            • LeaveCriticalSection.KERNEL32(?,?,00DC1044,?,?), ref: 00E1752A
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
            • String ID:
            • API String ID: 3495660284-0
            • Opcode ID: 8b3dea7b9fb05bcb9262b939806317482d5bdeddb3ca9c762e463ced9ecf650e
            • Instruction ID: 74cc0572477eab3f24ee9112f3ed6d4289d6afd9e6163a02e59ea4d97b6f0879
            • Opcode Fuzzy Hash: 8b3dea7b9fb05bcb9262b939806317482d5bdeddb3ca9c762e463ced9ecf650e
            • Instruction Fuzzy Hash: 1BF05E3A940616EFDB111B65FD8CDEB7B3AEF45702B011531FA42B10B2CBB65949CB50
            Function 00E08E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E08E7F
            • UnloadUserProfile.USERENV(?,?), ref: 00E08E8B
            • CloseHandle.KERNEL32(?), ref: 00E08E94
            • CloseHandle.KERNEL32(?), ref: 00E08E9C
            • GetProcessHeap.KERNEL32(00000000,?), ref: 00E08EA5
            • HeapFree.KERNEL32(00000000), ref: 00E08EAC
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
            • String ID:
            • API String ID: 146765662-0
            • Opcode ID: 1054583462687a1329820c12a158d781093338881ad0cfe945d9d688f0b5eb20
            • Instruction ID: aa97d28eefe07e6f8fa5819faf53e5bfd0e000054742efd38c830684f064c469
            • Opcode Fuzzy Hash: 1054583462687a1329820c12a158d781093338881ad0cfe945d9d688f0b5eb20
            • Instruction Fuzzy Hash: D2E0C236804009FFDA011FE2EC0CD0ABF79FB89322B108231F219A1071CB329428DB50
            Function 00E07A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
            Download Yara Rule
            APIs
            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00E42C7C,?), ref: 00E07C32
            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00E42C7C,?), ref: 00E07C4A
            • CLSIDFromProgID.OLE32(?,?,00000000,00E3FB80,000000FF,?,00000000,00000800,00000000,?,00E42C7C,?), ref: 00E07C6F
            • _memcmp.LIBCMT ref: 00E07C90
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: FromProg$FreeTask_memcmp
            • String ID: ,,
            • API String ID: 314563124-1556401989
            • Opcode ID: 5fa134a99610ef975518ae8a0b1d32d117d146fc22c14e7b60a097e8e8d96db8
            • Instruction ID: d2bc2ead0b4e845996a2f7164f39d65dc3d8bda3a02d897164093792fc1ebcba
            • Opcode Fuzzy Hash: 5fa134a99610ef975518ae8a0b1d32d117d146fc22c14e7b60a097e8e8d96db8
            • Instruction Fuzzy Hash: 2D81E775A00109EFCB04DF94C988EEEB7B9FF89315F204198E556BB290DB71AE45CB60
            Function 00E28902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00E28928
            • CharUpperBuffW.USER32(?,?), ref: 00E28A37
            • VariantClear.OLEAUT32(?), ref: 00E28BAF
              • Part of subcall function 00E17804: VariantInit.OLEAUT32(00000000), ref: 00E17844
              • Part of subcall function 00E17804: VariantCopy.OLEAUT32(00000000,?), ref: 00E1784D
              • Part of subcall function 00E17804: VariantClear.OLEAUT32(00000000), ref: 00E17859
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Variant$ClearInit$BuffCharCopyUpper
            • String ID: AUTOIT.ERROR$Incorrect Parameter format
            • API String ID: 4237274167-1221869570
            • Opcode ID: 02a052e8506dce28ba882da358d53ff1c66813ea4b1bd8e1cc592c2ed098c17e
            • Instruction ID: 4b7eb9a76d753c5651624b31d9ab858f989342256eda6e57955c70769b24a95d
            • Opcode Fuzzy Hash: 02a052e8506dce28ba882da358d53ff1c66813ea4b1bd8e1cc592c2ed098c17e
            • Instruction Fuzzy Hash: F7918C75608301DFC710DF24D5849AABBE4EFC9304F04996EF89AAB361DB31E945CB62
            Function 00E12F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DCFEC6: _wcscpy.LIBCMT ref: 00DCFEE9
            • _memset.LIBCMT ref: 00E13077
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E130A6
            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E13159
            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00E13187
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ItemMenu$Info$Default_memset_wcscpy
            • String ID: 0
            • API String ID: 4152858687-4108050209
            • Opcode ID: bad45474344e61cbe3976e80078a6fb304e76ebe4813758c8f55eed4e30a6a17
            • Instruction ID: a062966ee33f75bfbaaf915bab2a2dbbbde3a227046d8970c80d7c7c1072f558
            • Opcode Fuzzy Hash: bad45474344e61cbe3976e80078a6fb304e76ebe4813758c8f55eed4e30a6a17
            • Instruction Fuzzy Hash: F5519331609301ABD7259F38D845AEBBBE4EF49368F04592DF895F3291DB70CE848762
            Function 00E12C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00E12CAF
            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00E12CCB
            • DeleteMenu.USER32(?,00000007,00000000), ref: 00E12D11
            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E76890,00000000), ref: 00E12D5A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Menu$Delete$InfoItem_memset
            • String ID: 0
            • API String ID: 1173514356-4108050209
            • Opcode ID: 6dbf3b5261051543591ad23d0da385039a2e664fa0b228ff8a74184665f712e5
            • Instruction ID: c52696a539beacc799fbeff1e4df2b576bf46d77c460bac64e4cc281439320a8
            • Opcode Fuzzy Hash: 6dbf3b5261051543591ad23d0da385039a2e664fa0b228ff8a74184665f712e5
            • Instruction Fuzzy Hash: 0441C170604342AFD720DF24DC44B9ABBE8EF85324F00461DFA65A72E1D770E994CBA2
            Function 00E2DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E2DAD9
              • Part of subcall function 00DB79AB: _memmove.LIBCMT ref: 00DB79F9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: BuffCharLower_memmove
            • String ID: cdecl$none$stdcall$winapi
            • API String ID: 3425801089-567219261
            • Opcode ID: 814efea2535de3ffb8fcd16b22d1482949711af93eca95fd23817de6a44eb265
            • Instruction ID: d072fc653fc8fcb5f243743447812e903c2262710f76f20ed34f5584f9f6256d
            • Opcode Fuzzy Hash: 814efea2535de3ffb8fcd16b22d1482949711af93eca95fd23817de6a44eb265
            • Instruction Fuzzy Hash: 2D319071504219EFCF10EF64DC919EEB7B4FF45314B10862AE966B76D1CB31A905CBA0
            Function 00E09372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB7F41: _memmove.LIBCMT ref: 00DB7F82
              • Part of subcall function 00E0B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E0B0E7
            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00E093F6
            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00E09409
            • SendMessageW.USER32(?,00000189,?,00000000), ref: 00E09439
              • Part of subcall function 00DB7D2C: _memmove.LIBCMT ref: 00DB7D66
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSend$_memmove$ClassName
            • String ID: ComboBox$ListBox
            • API String ID: 365058703-1403004172
            • Opcode ID: d802713d13f0ca633dd56145f3742aa5193812b621950b4a26d0c6eb22e3c456
            • Instruction ID: b5a74823a7f41666d6cc8fad3a111ca59712749fcbbc0ba641347d6628f82614
            • Opcode Fuzzy Hash: d802713d13f0ca633dd56145f3742aa5193812b621950b4a26d0c6eb22e3c456
            • Instruction Fuzzy Hash: F121D071900108AFDB14AFB0DC869FEBB7CDF45360B105129F926B72E2DB350A4A9630
            Function 00E21B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E21B40
            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E21B66
            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00E21B96
            • InternetCloseHandle.WININET(00000000), ref: 00E21BDD
              • Part of subcall function 00E22777: GetLastError.KERNEL32(?,?,00E21B0B,00000000,00000000,00000001), ref: 00E2278C
              • Part of subcall function 00E22777: SetEvent.KERNEL32(?,?,00E21B0B,00000000,00000000,00000001), ref: 00E227A1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
            • String ID:
            • API String ID: 3113390036-3916222277
            • Opcode ID: 47391ea177c64638daaee35b0fcce17dcc8683618c699d1581edabed2cf821e0
            • Instruction ID: 181e74b17e8bbc0029096f6803d37b0faf5338e1069712d2f6669d06e4f0d35b
            • Opcode Fuzzy Hash: 47391ea177c64638daaee35b0fcce17dcc8683618c699d1581edabed2cf821e0
            • Instruction Fuzzy Hash: D021CFB1504218BFEB119F21AC85EFF76FCEB59748F10516AF505B2240EA309E089771
            Function 00E36656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DB1D73
              • Part of subcall function 00DB1D35: GetStockObject.GDI32(00000011), ref: 00DB1D87
              • Part of subcall function 00DB1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DB1D91
            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00E366D0
            • LoadLibraryW.KERNEL32(?), ref: 00E366D7
            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00E366EC
            • DestroyWindow.USER32(?), ref: 00E366F4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
            • String ID: SysAnimate32
            • API String ID: 4146253029-1011021900
            • Opcode ID: d7f1298435db06099b59b0a762cf36e2e3472c24d961336f3d792ee9883afa70
            • Instruction ID: c3a8a9866dec21ef8b31c652c38efacfe63f25dbb7b81b45773bb7eeb5450279
            • Opcode Fuzzy Hash: d7f1298435db06099b59b0a762cf36e2e3472c24d961336f3d792ee9883afa70
            • Instruction Fuzzy Hash: 7721BE71200209BFEF104F74EC8AEBB3BADEF193A8F50A229F911A6090C7718C50D760
            Function 00E1703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(0000000C), ref: 00E1705E
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E17091
            • GetStdHandle.KERNEL32(0000000C), ref: 00E170A3
            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00E170DD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CreateHandle$FilePipe
            • String ID: nul
            • API String ID: 4209266947-2873401336
            • Opcode ID: 652cee2b02f8785122f1940f8593ae3cf57a4afbae560ceb3c9d626380897c1c
            • Instruction ID: c3530fa326cd7aa1ac84a03305c69f65602613c5f65fb7d0730c30b24dc9c089
            • Opcode Fuzzy Hash: 652cee2b02f8785122f1940f8593ae3cf57a4afbae560ceb3c9d626380897c1c
            • Instruction Fuzzy Hash: DC214F74604309ABDB209F29DC09ADA7BF8AF48B24F205619F8E1F72D0D77199948B50
            Function 00E1710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(000000F6), ref: 00E1712B
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E1715D
            • GetStdHandle.KERNEL32(000000F6), ref: 00E1716E
            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00E171A8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CreateHandle$FilePipe
            • String ID: nul
            • API String ID: 4209266947-2873401336
            • Opcode ID: 941214b30c5a5a6e7f3d71f30ff51147b745eaa90421a9ed428453f7c570e938
            • Instruction ID: 5460727dc43fcf0c5af02868c7dedfd2e9d173dea58514842cfdac8156a227ca
            • Opcode Fuzzy Hash: 941214b30c5a5a6e7f3d71f30ff51147b745eaa90421a9ed428453f7c570e938
            • Instruction Fuzzy Hash: C9219075A09209ABDB209F699C04AEAB7F8AF55B34F201619FCE1F32D0D77098818B50
            Function 00E1AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00E1AEBF
            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00E1AF13
            • __swprintf.LIBCMT ref: 00E1AF2C
            • SetErrorMode.KERNEL32(00000000,00000001,00000000,00E3F910), ref: 00E1AF6A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ErrorMode$InformationVolume__swprintf
            • String ID: %lu
            • API String ID: 3164766367-685833217
            • Opcode ID: e2dd44da3219996a3e70f92a21d4deb72e045db4c8da8682f38f19ec13c774f1
            • Instruction ID: 59c72ee6afde988918eb2990b10b9102438ceaebbc6e1f2965b882eb6b77c625
            • Opcode Fuzzy Hash: e2dd44da3219996a3e70f92a21d4deb72e045db4c8da8682f38f19ec13c774f1
            • Instruction Fuzzy Hash: 57216530A00249AFCB10EF65D885EEE7BB8EF49704B044069F509E7251DB31EA45DB31
            Function 00E0A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB7D2C: _memmove.LIBCMT ref: 00DB7D66
              • Part of subcall function 00E0A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00E0A399
              • Part of subcall function 00E0A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E0A3AC
              • Part of subcall function 00E0A37C: GetCurrentThreadId.KERNEL32 ref: 00E0A3B3
              • Part of subcall function 00E0A37C: AttachThreadInput.USER32(00000000), ref: 00E0A3BA
            • GetFocus.USER32 ref: 00E0A554
              • Part of subcall function 00E0A3C5: GetParent.USER32(?), ref: 00E0A3D3
            • GetClassNameW.USER32(?,?,00000100), ref: 00E0A59D
            • EnumChildWindows.USER32(?,00E0A615), ref: 00E0A5C5
            • __swprintf.LIBCMT ref: 00E0A5DF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
            • String ID: %s%d
            • API String ID: 1941087503-1110647743
            • Opcode ID: 1d24343818494aff498100dd8c78040ee1332bd59e2469b27cadcd4e1976d448
            • Instruction ID: 79b3b5920437dc024d2d8fbbf0c0787ce48e1d35be986f6ccd3c9fd18ff0ed75
            • Opcode Fuzzy Hash: 1d24343818494aff498100dd8c78040ee1332bd59e2469b27cadcd4e1976d448
            • Instruction Fuzzy Hash: 53118E71600308ABDF10BBA0EC8AFEE37B89F88700F085075F909BA192CA7559858B75
            Function 00E12017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 00E12048
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: BuffCharUpper
            • String ID: APPEND$EXISTS$KEYS$REMOVE
            • API String ID: 3964851224-769500911
            • Opcode ID: f6202d022f754d3f928231d3a98f8b35137ea4a6d2adeb7fbb0fd9ad5ed25c4b
            • Instruction ID: dbb4deab89b66f54991285a9f6f06faa60c636b22f8d1ed64a3a97bed46ca8c6
            • Opcode Fuzzy Hash: f6202d022f754d3f928231d3a98f8b35137ea4a6d2adeb7fbb0fd9ad5ed25c4b
            • Instruction Fuzzy Hash: F8112770940119CF8F00EFA4DD419EEB7B5FF5A304F10956AD856B7252EB32691ACB60
            Function 00E2EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
            Download Yara Rule
            APIs
            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00E2EF1B
            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00E2EF4B
            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00E2F07E
            • CloseHandle.KERNEL32(?), ref: 00E2F0FF
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Process$CloseCountersHandleInfoMemoryOpen
            • String ID:
            • API String ID: 2364364464-0
            • Opcode ID: cd06eaa0656cdc3b0677d48444f23817800358c001b9aaed5438d2835928a13e
            • Instruction ID: cb0583a790ecb8b26d11b7e7d72c52d027834e0766e913bfe8ab10249dacd838
            • Opcode Fuzzy Hash: cd06eaa0656cdc3b0677d48444f23817800358c001b9aaed5438d2835928a13e
            • Instruction Fuzzy Hash: 44815171604310DFD720DF28D856F6AB7E5EF48710F14882DF596EB292DBB1AC408B61
            Function 00E302C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB7F41: _memmove.LIBCMT ref: 00DB7F82
              • Part of subcall function 00E310A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E30038,?,?), ref: 00E310BC
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E30388
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E303C7
            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00E3040E
            • RegCloseKey.ADVAPI32(?,?), ref: 00E3043A
            • RegCloseKey.ADVAPI32(00000000), ref: 00E30447
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
            • String ID:
            • API String ID: 3440857362-0
            • Opcode ID: e9bded1af784b00abf719518ac896ee102574e14ab79c7db7cb4cc746498d156
            • Instruction ID: e1dbd8230a210defa85309eaabd1ddd82fa289cd674f93b5af555031a47b787e
            • Opcode Fuzzy Hash: e9bded1af784b00abf719518ac896ee102574e14ab79c7db7cb4cc746498d156
            • Instruction Fuzzy Hash: DE512B31208204AFD704EF64D895FAEBBE8FF84714F44996DF596A71A1DB30E904CB62
            Function 00E2DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB9997: __itow.LIBCMT ref: 00DB99C2
              • Part of subcall function 00DB9997: __swprintf.LIBCMT ref: 00DB9A0C
            • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E2DC3B
            • GetProcAddress.KERNEL32(00000000,?), ref: 00E2DCBE
            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00E2DCDA
            • GetProcAddress.KERNEL32(00000000,?), ref: 00E2DD1B
            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E2DD35
              • Part of subcall function 00DB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E17B20,?,?,00000000), ref: 00DB5B8C
              • Part of subcall function 00DB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E17B20,?,?,00000000,?,?), ref: 00DB5BB0
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
            • String ID:
            • API String ID: 327935632-0
            • Opcode ID: ffd405278647ca30f2dd99b536e0260ae3d89b666eb47ca1dfc366254819d35e
            • Instruction ID: 7b894b0973fd10abfc4ac990a1056841686c87f6ec808f7b7917f3884e3a4962
            • Opcode Fuzzy Hash: ffd405278647ca30f2dd99b536e0260ae3d89b666eb47ca1dfc366254819d35e
            • Instruction Fuzzy Hash: 49514A35A04619DFCB01EF68D8859DDFBF4FF08314B058055E916AB322DB30AD45CB61
            Function 00E1E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
            Download Yara Rule
            APIs
            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00E1E88A
            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00E1E8B3
            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00E1E8F2
              • Part of subcall function 00DB9997: __itow.LIBCMT ref: 00DB99C2
              • Part of subcall function 00DB9997: __swprintf.LIBCMT ref: 00DB9A0C
            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00E1E917
            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00E1E91F
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
            • String ID:
            • API String ID: 1389676194-0
            • Opcode ID: 12e0ff4781679362e73a7f3398209bf66bdac09d9d9b72b683cd34b5b59978f7
            • Instruction ID: b466473257e1797a9f359e3027505953f4757f57d9fdd34cc3538d8d36484ad5
            • Opcode Fuzzy Hash: 12e0ff4781679362e73a7f3398209bf66bdac09d9d9b72b683cd34b5b59978f7
            • Instruction Fuzzy Hash: 92512C35A00205EFCF01EF64C991AAEBBF5EF08314B148099E90AAB361CB31ED51CF60
            Function 00E3A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9f2833a5bf7595430d5c91c021c9a8cdb47993e3afaed416f8234b1ce2b978d7
            • Instruction ID: 95077dcc18c1acab92651da464bc7f70426c608b0f8070d85f3dd692f2ea9fcf
            • Opcode Fuzzy Hash: 9f2833a5bf7595430d5c91c021c9a8cdb47993e3afaed416f8234b1ce2b978d7
            • Instruction Fuzzy Hash: E541EF35900208AFD724DB28CC4CFA9BFA9EB09314F181175E8A6B72E1C770AD81CA52
            Function 00DB2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 00DB2357
            • ScreenToClient.USER32(00E767B0,?), ref: 00DB2374
            • GetAsyncKeyState.USER32(00000001), ref: 00DB2399
            • GetAsyncKeyState.USER32(00000002), ref: 00DB23A7
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: AsyncState$ClientCursorScreen
            • String ID:
            • API String ID: 4210589936-0
            • Opcode ID: 3270af895d9e2275ac30ffcec59ca27499aa10f5611479ddde64900b4f61a898
            • Instruction ID: 0933e746374b67cdf132fc3b0b180567ebd5283f5da4836b6790d4486c605b9e
            • Opcode Fuzzy Hash: 3270af895d9e2275ac30ffcec59ca27499aa10f5611479ddde64900b4f61a898
            • Instruction Fuzzy Hash: 55419E32904159FFCF159F69CC48AEDBBB4FB05320F20431AF829A22A0C7349994DBB1
            Function 00E06920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
            Download Yara Rule
            APIs
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E0695D
            • TranslateAcceleratorW.USER32(?,?,?), ref: 00E069A9
            • TranslateMessage.USER32(?), ref: 00E069D2
            • DispatchMessageW.USER32(?), ref: 00E069DC
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E069EB
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Message$PeekTranslate$AcceleratorDispatch
            • String ID:
            • API String ID: 2108273632-0
            • Opcode ID: 5cbc751be9bbca2e2e05e3f81890818e8243a859f821a02a231fc7c8ac33c57e
            • Instruction ID: 072466f90f0ce8453633c820fdff90539f9710a08bad91d6144e6497b3c975e3
            • Opcode Fuzzy Hash: 5cbc751be9bbca2e2e05e3f81890818e8243a859f821a02a231fc7c8ac33c57e
            • Instruction Fuzzy Hash: 4D31E231A00646AFDB64DFB5CC48FB67BBCAB41308F505169E425F24E1D73098E9D7A0
            Function 00E08F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 00E08F12
            • PostMessageW.USER32(?,00000201,00000001), ref: 00E08FBC
            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00E08FC4
            • PostMessageW.USER32(?,00000202,00000000), ref: 00E08FD2
            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00E08FDA
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessagePostSleep$RectWindow
            • String ID:
            • API String ID: 3382505437-0
            • Opcode ID: 0c788482f4ba80a8a138db9ef83201392f1f0842cb41eb4c38870379f10b11ce
            • Instruction ID: 5c637152fcd0d7e4ea2d2eb97d3bcad4c5fd43030d2ef1f704c13a54c64484d5
            • Opcode Fuzzy Hash: 0c788482f4ba80a8a138db9ef83201392f1f0842cb41eb4c38870379f10b11ce
            • Instruction Fuzzy Hash: 0231E071A0021EEFDB14CF78DA4DA9E7BB6EB04315F104229F964E61D0C7B09954CB91
            Function 00E0B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
            Download Yara Rule
            APIs
            • IsWindowVisible.USER32(?), ref: 00E0B6C7
            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00E0B6E4
            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00E0B71C
            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00E0B742
            • _wcsstr.LIBCMT ref: 00E0B74C
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
            • String ID:
            • API String ID: 3902887630-0
            • Opcode ID: 4ea6ccaf20474a810be3c067f0e19b359b1dd249204db34162d727da5af3d7d1
            • Instruction ID: 72e7ca973c432eb0bda57e1b7803a76436821ab85f43e656c10e7527315aee65
            • Opcode Fuzzy Hash: 4ea6ccaf20474a810be3c067f0e19b359b1dd249204db34162d727da5af3d7d1
            • Instruction Fuzzy Hash: CD21DA31604204BBEB155B35AC4AE7B7F9CEF45710F14512BF805EA2A1EB61DC8096B0
            Function 00E3B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB2612: GetWindowLongW.USER32(?,000000EB), ref: 00DB2623
            • GetWindowLongW.USER32(?,000000F0), ref: 00E3B44C
            • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00E3B471
            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00E3B489
            • GetSystemMetrics.USER32(00000004), ref: 00E3B4B2
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00E21184,00000000), ref: 00E3B4D0
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Window$Long$MetricsSystem
            • String ID:
            • API String ID: 2294984445-0
            • Opcode ID: 6d1cb27f67bee57425d53c66b6a70441d73226ac8b61edf903f6a58d36dd4440
            • Instruction ID: 224e3a020364a5d4b30eff8770a1501d3ac80e86f9c1e1aa5a512cb54f384a14
            • Opcode Fuzzy Hash: 6d1cb27f67bee57425d53c66b6a70441d73226ac8b61edf903f6a58d36dd4440
            • Instruction Fuzzy Hash: 4B218031910655AFCB249F39DC0CA6A3FA4EB05729F105728FA37E61E2F7309854DB94
            Function 00E097E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E09802
              • Part of subcall function 00DB7D2C: _memmove.LIBCMT ref: 00DB7D66
            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E09834
            • __itow.LIBCMT ref: 00E0984C
            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E09874
            • __itow.LIBCMT ref: 00E09885
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSend$__itow$_memmove
            • String ID:
            • API String ID: 2983881199-0
            • Opcode ID: a50c306ab2f0dea50c78315b1c1d5ea091f9f7e328c2ae6c51621ce8194b215e
            • Instruction ID: 59c68c0d144264ec7ce570c32e19d2b94c015c6364f84f3862f38c7314997892
            • Opcode Fuzzy Hash: a50c306ab2f0dea50c78315b1c1d5ea091f9f7e328c2ae6c51621ce8194b215e
            • Instruction Fuzzy Hash: A0218631A00208ABDB149E659C8AEEE7BA9DF49714F045029F905BB393D6708D8597F1
            Function 00DB12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
            Download Yara Rule
            APIs
            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DB134D
            • SelectObject.GDI32(?,00000000), ref: 00DB135C
            • BeginPath.GDI32(?), ref: 00DB1373
            • SelectObject.GDI32(?,00000000), ref: 00DB139C
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ObjectSelect$BeginCreatePath
            • String ID:
            • API String ID: 3225163088-0
            • Opcode ID: 9c293d6bfd63072123d18f64ba3f7c94736701e2782ab1ffe9f6abdc75ed5904
            • Instruction ID: a3f37b7ccc084a091346e08493deae95aa727fca87d50e3dfcd199e53f124290
            • Opcode Fuzzy Hash: 9c293d6bfd63072123d18f64ba3f7c94736701e2782ab1ffe9f6abdc75ed5904
            • Instruction Fuzzy Hash: 4521A770800608DFEB14DF56EC497A93BF8F700325F584226F419A62A1D37198D9CFA1
            Function 00E0C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: c72bffc031eb43c009dd575f54b34cde08bd880ef37948043590fe51bd5bfaa6
            • Instruction ID: 42fd04fdbc49850e2ade7c2d423d54f0a3a552adffd3d49746ddeb8d0504c7c1
            • Opcode Fuzzy Hash: c72bffc031eb43c009dd575f54b34cde08bd880ef37948043590fe51bd5bfaa6
            • Instruction Fuzzy Hash: 6B01B5B16062067BE204BB206C42FAB776DDF21398F645225FE04B73C3E661DE5582F0
            Function 00E14D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 00E14D5C
            • __beginthreadex.LIBCMT ref: 00E14D7A
            • MessageBoxW.USER32(?,?,?,?), ref: 00E14D8F
            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00E14DA5
            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00E14DAC
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
            • String ID:
            • API String ID: 3824534824-0
            • Opcode ID: a24aa4a890436130fd8ec079737fd2c675c60c2304faed2a8c9490ca7cafb7fb
            • Instruction ID: 80f0c8c37e3c823e83386e72f91a53ce767d338e2889cf8609f095140e88d257
            • Opcode Fuzzy Hash: a24aa4a890436130fd8ec079737fd2c675c60c2304faed2a8c9490ca7cafb7fb
            • Instruction Fuzzy Hash: B31100B2D04648BFC701DB69AC08ADA7FACEB45314F144269F918F33A1D6718D8887A0
            Function 00E0874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
            Download Yara Rule
            APIs
            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E08766
            • GetLastError.KERNEL32(?,00E0822A,?,?,?), ref: 00E08770
            • GetProcessHeap.KERNEL32(00000008,?,?,00E0822A,?,?,?), ref: 00E0877F
            • HeapAlloc.KERNEL32(00000000,?,00E0822A,?,?,?), ref: 00E08786
            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E0879D
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
            • String ID:
            • API String ID: 842720411-0
            • Opcode ID: 38005135557878f4d9447a2c5f4d8a648086f32f42d214bcf0cbaf7e6484cb81
            • Instruction ID: c29f5841da7fcdd79582df4bcbd4d46be5fb4914e0493b200c9dbe2cfad49cdf
            • Opcode Fuzzy Hash: 38005135557878f4d9447a2c5f4d8a648086f32f42d214bcf0cbaf7e6484cb81
            • Instruction Fuzzy Hash: 8E014F71A01218EFDB104FA6DD4CD677F6CEF853557200429F849E2160DA318C44CA60
            Function 00E154E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E15502
            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E15510
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E15518
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E15522
            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E1555E
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: PerformanceQuery$CounterSleep$Frequency
            • String ID:
            • API String ID: 2833360925-0
            • Opcode ID: d5c8725a7483e7f9e3fadc8bc64430b47eb576b1462d61ebc158c2b40eef26d4
            • Instruction ID: 2d70082c8cc162652331a027405680f71340d9a3bfa966d7b1f6434f08d80e4a
            • Opcode Fuzzy Hash: d5c8725a7483e7f9e3fadc8bc64430b47eb576b1462d61ebc158c2b40eef26d4
            • Instruction Fuzzy Hash: 06015B76C01A1DDBCF00EFE9E8885EDBB7AFB49711F000056E841B2150DB305598C7A1
            Function 00E07652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
            Download Yara Rule
            APIs
            • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E0758C,80070057,?,?,?,00E0799D), ref: 00E0766F
            • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E0758C,80070057,?,?), ref: 00E0768A
            • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E0758C,80070057,?,?), ref: 00E07698
            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E0758C,80070057,?), ref: 00E076A8
            • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E0758C,80070057,?,?), ref: 00E076B4
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: From$Prog$FreeStringTasklstrcmpi
            • String ID:
            • API String ID: 3897988419-0
            • Opcode ID: 02b64753237f0acf5458f2337c9ef2119dfc527e4478a2431ecdf5694b95283e
            • Instruction ID: 68ad4f0dbf272d1dcd31799c22e37b5da5d8f1ce70c95c4aa0195b4fad0134e5
            • Opcode Fuzzy Hash: 02b64753237f0acf5458f2337c9ef2119dfc527e4478a2431ecdf5694b95283e
            • Instruction Fuzzy Hash: 2201D876E00608BFDB144F19EC08B9A7FACEB44751F100025FD45E2251EB32ED8087B0
            Function 00E085F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E08608
            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E08612
            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E08621
            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E08628
            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E0863E
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: 85a5c3b49db48e78a4530b99cc8f293ee8f20f8b3bb310b2e9b2b079279a0ac4
            • Instruction ID: 9b7fbd8be16bbfa5e8de1109c20dbdf568638747eab93aa22adb740bd588deeb
            • Opcode Fuzzy Hash: 85a5c3b49db48e78a4530b99cc8f293ee8f20f8b3bb310b2e9b2b079279a0ac4
            • Instruction Fuzzy Hash: 7FF06831601208AFDB100FA5ED8DE6B3FACEF45758B011425F545E6190CB72DC49DA60
            Function 00E08652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E08669
            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E08673
            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E08682
            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E08689
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E0869F
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: c49aacbc82066b828830e8a19a55e2e880ba1483506d36b4f7c35d54cbf92a23
            • Instruction ID: cecea835658f839b70193882a1fe2f12c9cdf962371b3a535bb481e0406b3adc
            • Opcode Fuzzy Hash: c49aacbc82066b828830e8a19a55e2e880ba1483506d36b4f7c35d54cbf92a23
            • Instruction Fuzzy Hash: 6AF04F71601208AFEB111FA6EC8CE673FACEF89758B110035F985E61A0CA72D949DE60
            Function 00E0C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,000003E9), ref: 00E0C6BA
            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00E0C6D1
            • MessageBeep.USER32(00000000), ref: 00E0C6E9
            • KillTimer.USER32(?,0000040A), ref: 00E0C705
            • EndDialog.USER32(?,00000001), ref: 00E0C71F
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: BeepDialogItemKillMessageTextTimerWindow
            • String ID:
            • API String ID: 3741023627-0
            • Opcode ID: 85c4781cddf77d67a8932fbfc23746c6603ff34104a97956c9487bf5574a5577
            • Instruction ID: b5bad943b301aa43b133b0645ea225ab2b08046772320c197d7992ae179e1c51
            • Opcode Fuzzy Hash: 85c4781cddf77d67a8932fbfc23746c6603ff34104a97956c9487bf5574a5577
            • Instruction Fuzzy Hash: 0801A230800708EBEB305B21ED4EF967BB8FF04B05F14166AF542B10E0DBE0A9988F90
            Function 00DB13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
            Download Yara Rule
            APIs
            • EndPath.GDI32(?), ref: 00DB13BF
            • StrokeAndFillPath.GDI32(?,?,00DEBAD8,00000000,?), ref: 00DB13DB
            • SelectObject.GDI32(?,00000000), ref: 00DB13EE
            • DeleteObject.GDI32 ref: 00DB1401
            • StrokePath.GDI32(?), ref: 00DB141C
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Path$ObjectStroke$DeleteFillSelect
            • String ID:
            • API String ID: 2625713937-0
            • Opcode ID: 16e6b1fa69fd1f6691f1b2ccde067634f2a265b915da4799e09c23943e812113
            • Instruction ID: a50289fd986c533b9749722dd4957c22ac63264684434ea238ce31de910e6e99
            • Opcode Fuzzy Hash: 16e6b1fa69fd1f6691f1b2ccde067634f2a265b915da4799e09c23943e812113
            • Instruction Fuzzy Hash: 30F01D34000A08DFEB199F1BED4C7943FA4A70132AF488224E42A680F6C73145ADDF21
            Function 00E1C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 00E1C69D
            • CoCreateInstance.OLE32(00E42D6C,00000000,00000001,00E42BDC,?), ref: 00E1C6B5
              • Part of subcall function 00DB7F41: _memmove.LIBCMT ref: 00DB7F82
            • CoUninitialize.OLE32 ref: 00E1C922
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CreateInitializeInstanceUninitialize_memmove
            • String ID: .lnk
            • API String ID: 2683427295-24824748
            • Opcode ID: 3e165451ad55f94af9805407f122630c565dea04c932604baf8131bd1b92001c
            • Instruction ID: 56f6c4de30d27339d12c60a2bdda9b997d14bb4de48f197b4eae920dbb93c490
            • Opcode Fuzzy Hash: 3e165451ad55f94af9805407f122630c565dea04c932604baf8131bd1b92001c
            • Instruction Fuzzy Hash: 95A12B71104245AFD704EF54C891EABB7ECEF99704F00491CF296A72A2DB70EA49CB72
            Function 00DC2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DD0FF6: std::exception::exception.LIBCMT ref: 00DD102C
              • Part of subcall function 00DD0FF6: __CxxThrowException@8.LIBCMT ref: 00DD1041
              • Part of subcall function 00DB7F41: _memmove.LIBCMT ref: 00DB7F82
              • Part of subcall function 00DB7BB1: _memmove.LIBCMT ref: 00DB7C0B
            • __swprintf.LIBCMT ref: 00DC302D
            Strings
            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00DC2EC6
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
            • API String ID: 1943609520-557222456
            • Opcode ID: ba04162ff07be62e49add61eb7223e1f8705052ff2cc0110d32d221fb3790812
            • Instruction ID: 8a6b2ecee27a5b8877f1d5da2ed0266fb7efbddc99dba9c662eaf9bb6fc5cfd8
            • Opcode Fuzzy Hash: ba04162ff07be62e49add61eb7223e1f8705052ff2cc0110d32d221fb3790812
            • Instruction Fuzzy Hash: 65917F72108306DFCB18EF24D895DBEB7A4EF95740F04891EF586972A1DA20EE44DB72
            Function 00E1BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DB48A1,?,?,00DB37C0,?), ref: 00DB48CE
            • CoInitialize.OLE32(00000000), ref: 00E1BC26
            • CoCreateInstance.OLE32(00E42D6C,00000000,00000001,00E42BDC,?), ref: 00E1BC3F
            • CoUninitialize.OLE32 ref: 00E1BC5C
              • Part of subcall function 00DB9997: __itow.LIBCMT ref: 00DB99C2
              • Part of subcall function 00DB9997: __swprintf.LIBCMT ref: 00DB9A0C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
            • String ID: .lnk
            • API String ID: 2126378814-24824748
            • Opcode ID: 8ee184025ccb94ad33eea76cfe28427b479a8e454e634ec21c745fd67b86a3c5
            • Instruction ID: 0fa6253004dada0500417722474353a2616405512516fdd674cfefd58770e3fc
            • Opcode Fuzzy Hash: 8ee184025ccb94ad33eea76cfe28427b479a8e454e634ec21c745fd67b86a3c5
            • Instruction Fuzzy Hash: 69A155756043419FCB04DF24C494DAABBE5FF88314F048998F99AAB3A1CB31ED45CBA1
            Function 00E0B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
            Download Yara Rule
            APIs
            • OleSetContainedObject.OLE32(?,00000001), ref: 00E0B981
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ContainedObject
            • String ID: AutoIt3GUI$Container$%
            • API String ID: 3565006973-1286912533
            • Opcode ID: 91a89f171ca516a5df012497785ae2bdcd914c566340e78e53d0dac18bf24c3c
            • Instruction ID: a614f0d06f40200a5a3fa0f1b1e0bc18edc7671142a051a18cf68eddac18d2ae
            • Opcode Fuzzy Hash: 91a89f171ca516a5df012497785ae2bdcd914c566340e78e53d0dac18bf24c3c
            • Instruction Fuzzy Hash: 22914D706006019FDB14CF68C885A66BBF9FF48714F14956EF946EB7A1DB70E884CB60
            Function 00DD524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
            Download Yara Rule
            APIs
            • __startOneArgErrorHandling.LIBCMT ref: 00DD52DD
              • Part of subcall function 00DE0340: __87except.LIBCMT ref: 00DE037B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ErrorHandling__87except__start
            • String ID: pow
            • API String ID: 2905807303-2276729525
            • Opcode ID: c3afb6c6d015775e78520b4753481723b86bd3f346b0425dde08973f10223620
            • Instruction ID: 67293acdf230238e62dcc676d524aab9bedcc7872982a9be5133b58091bd5969
            • Opcode Fuzzy Hash: c3afb6c6d015775e78520b4753481723b86bd3f346b0425dde08973f10223620
            • Instruction Fuzzy Hash: 68516A61A0CA418BC711B726EA4137E6F94DB40750F284D5AE0D5823EDEFB4CCD8DAB6
            Function 00DD023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID:
            • String ID: #$+
            • API String ID: 0-2552117581
            • Opcode ID: 2b5bc97389c27a16f5b4f8c0884378c9b9c93af3c9f05a4637d7c8a4bcf7a182
            • Instruction ID: 5f34d983f8bf0dfc812edae2e844e1258d9fb1868665536670dbd9f1ca620373
            • Opcode Fuzzy Hash: 2b5bc97389c27a16f5b4f8c0884378c9b9c93af3c9f05a4637d7c8a4bcf7a182
            • Instruction Fuzzy Hash: 4F511176504646DFDF159F28C4886FB7BA8EF95314F184056E891AB2E0D7309C86CB71
            Function 00DC62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _memset$_memmove
            • String ID: ERCP
            • API String ID: 2532777613-1384759551
            • Opcode ID: 3c739e1e50850b31d5e3f5e16891ff6fd6ca0dd112556299824bb9951e0da131
            • Instruction ID: 23153239b309fae3f60a968778b770a1075f2cc71a9835bdd44f7a7202fef203
            • Opcode Fuzzy Hash: 3c739e1e50850b31d5e3f5e16891ff6fd6ca0dd112556299824bb9951e0da131
            • Instruction Fuzzy Hash: 4651D57190430ADFCB28CF65C881BAABBF4EF44314F24856EE54ADB281E771D584CB60
            Function 00E37BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
            Download Yara Rule
            APIs
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00E3F910,00000000,?,?,?,?), ref: 00E37C4E
            • GetWindowLongW.USER32 ref: 00E37C6B
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E37C7B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Window$Long
            • String ID: SysTreeView32
            • API String ID: 847901565-1698111956
            • Opcode ID: 39aec043e9a5594ee14a56636f8a268721d871ac7854f46427ae8601bc80f7b9
            • Instruction ID: 30b5adcf8690f07dca61d10de27a5173f40c5a4b8bdc66d2fc788a024aab931e
            • Opcode Fuzzy Hash: 39aec043e9a5594ee14a56636f8a268721d871ac7854f46427ae8601bc80f7b9
            • Instruction Fuzzy Hash: E631A271604205AFDB258E34DC49BE6BBA9EB49328F205725F8B5A32E0D731E850DB60
            Function 00E37648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00E376D0
            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00E376E4
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E37708
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSend$Window
            • String ID: SysMonthCal32
            • API String ID: 2326795674-1439706946
            • Opcode ID: ec76e7e593aedffe6f258319746f9bbfec6b4005dc7bd5e31719e0a7f68d9b6a
            • Instruction ID: 5407188ad50c91866dd9059aec73d21d248e9aeef569af2cf2f995776e982818
            • Opcode Fuzzy Hash: ec76e7e593aedffe6f258319746f9bbfec6b4005dc7bd5e31719e0a7f68d9b6a
            • Instruction Fuzzy Hash: EE21B132500219ABDF25CE54CC46FEA3FA9EB48754F111214FE557B1D0D6B1A854CBA0
            Function 00E36F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00E36FAA
            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00E36FBA
            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00E36FDF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSend$MoveWindow
            • String ID: Listbox
            • API String ID: 3315199576-2633736733
            • Opcode ID: 06a70e7ed64e634be158ac8c3659d247a515609446fff475971c0ad98e8cfc73
            • Instruction ID: b1ffe0e0d87b47ffabbad8cf0d167ccc2c48665661dd58c1adc82985020f22ed
            • Opcode Fuzzy Hash: 06a70e7ed64e634be158ac8c3659d247a515609446fff475971c0ad98e8cfc73
            • Instruction Fuzzy Hash: A4219532710118BFDF158F64DC89EEB3BAAEF89758F119124F915A7190C671AC51C7A0
            Function 00E3797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00E379E1
            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00E379F6
            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00E37A03
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: msctls_trackbar32
            • API String ID: 3850602802-1010561917
            • Opcode ID: a4f888693ed35bda8a9ee7ee5f7663a38a1a02bd115e407e871d393ae119e697
            • Instruction ID: 4e8181424f9761b12b04a0c354f4c67ec9fc408fff219ecd72cb33cfced29049
            • Opcode Fuzzy Hash: a4f888693ed35bda8a9ee7ee5f7663a38a1a02bd115e407e871d393ae119e697
            • Instruction Fuzzy Hash: 7811E772244208BFDF249F65CC09FEB3BA9EF89768F021619F645B6090D2719851DB60
            Function 00DB4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00DB4C2E), ref: 00DB4CA3
            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00DB4CB5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetNativeSystemInfo$kernel32.dll
            • API String ID: 2574300362-192647395
            • Opcode ID: 5c472c6848a3d7196948614f5c32314c745c3fa319a70cc0c7d68673d4fe195d
            • Instruction ID: fb7b67a936d708b5342fbcadce09d475040837655c6d139253e4031404844068
            • Opcode Fuzzy Hash: 5c472c6848a3d7196948614f5c32314c745c3fa319a70cc0c7d68673d4fe195d
            • Instruction Fuzzy Hash: 28D0127091172BDFD7209F31D91C646BED5AF05B51F158839D886E6161DB70D480C660
            Function 00DB4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00DB4CE1,?), ref: 00DB4DA2
            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00DB4DB4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
            • API String ID: 2574300362-1355242751
            • Opcode ID: d4e2bd49982a3676211bfa130d782291ceea5158571429a2fbf87ff8f8c5512d
            • Instruction ID: 30a31a7d4d73eb7f94c2fa8b5dde500da58623d9dd94056c6e809ea247973159
            • Opcode Fuzzy Hash: d4e2bd49982a3676211bfa130d782291ceea5158571429a2fbf87ff8f8c5512d
            • Instruction Fuzzy Hash: 92D05E71950713CFDB209F32E80CA86BAE4AF053A5F15C83ED8D6E6161EB70D880CA60
            Function 00DB4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00DB4D2E,?,00DB4F4F,?,00E762F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DB4D6F
            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00DB4D81
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
            • API String ID: 2574300362-3689287502
            • Opcode ID: 44ca4c90df0c48dae321e3103f53e6d2e13cac8a938d2bb5dbe65bd937ff990a
            • Instruction ID: 23ae7c6acf7d6cde27ca5d995446e426b8fe276a08bdbb46fc786c88791ab16b
            • Opcode Fuzzy Hash: 44ca4c90df0c48dae321e3103f53e6d2e13cac8a938d2bb5dbe65bd937ff990a
            • Instruction Fuzzy Hash: F9D01770910713CFDB209F32E80C656BAE8AF15392B19893AD487E6261E670D880CA60
            Function 00E31072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(advapi32.dll,?,00E312C1), ref: 00E31080
            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E31092
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: RegDeleteKeyExW$advapi32.dll
            • API String ID: 2574300362-4033151799
            • Opcode ID: 9ba8bfd20c66c26ac0a1028da666b105965be15835d8a22bdfb46fe04620d3e0
            • Instruction ID: 621ebe4d5f9b82f83797cdd26804929e1f91b15c7cd84fc65b2f58b3e35f25e8
            • Opcode Fuzzy Hash: 9ba8bfd20c66c26ac0a1028da666b105965be15835d8a22bdfb46fe04620d3e0
            • Instruction Fuzzy Hash: 81D0E230950712CFD7209B36E82CA1A7AE4AF153A5B11986EE48AEA160E770C8C0CA50
            Function 00E293F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00E29009,?,00E3F910), ref: 00E29403
            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00E29415
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetModuleHandleExW$kernel32.dll
            • API String ID: 2574300362-199464113
            • Opcode ID: d4a90f286c280548f6182e431376c88c66c2136b12caedd788cd76e230970bb9
            • Instruction ID: d40437bffbfa0ada83dad84910f8e2c8379c3fa9246e151d0b441c974bd08b73
            • Opcode Fuzzy Hash: d4a90f286c280548f6182e431376c88c66c2136b12caedd788cd76e230970bb9
            • Instruction Fuzzy Hash: 4DD0C230910327CFC7206F31E94C503BAD4AF01341F04E839D491F2552D6B0C480CA50
            Function 00DF1B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: LocalTime__swprintf
            • String ID: %.3d$WIN_XPe
            • API String ID: 2070861257-2409531811
            • Opcode ID: a8b8abf0a2e325e40c4ef852144f67f211972c4ab41cbef5da7ad5b892b76bc0
            • Instruction ID: 0cdeffd117b0b6de657a060fd09e697539449a12378e1e63c1ce653d54d6d287
            • Opcode Fuzzy Hash: a8b8abf0a2e325e40c4ef852144f67f211972c4ab41cbef5da7ad5b892b76bc0
            • Instruction Fuzzy Hash: A4D01279C0411CEACB04DA90DC449FA777CA705311F5545D2FA46A1000F274DB84AB31
            Function 00E076C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c91f1fd45d31cb9359e52011b2f3b91833762f77e8c16e55149277680868106a
            • Instruction ID: f238834ef978982f4ee2ab1868b003f6e836c8b053f5be87fd44fa37a0c25b04
            • Opcode Fuzzy Hash: c91f1fd45d31cb9359e52011b2f3b91833762f77e8c16e55149277680868106a
            • Instruction Fuzzy Hash: 73C16E74E04216EFCB14CF94C884EAEBBB5FF88714B159599E885EB291D730ED81CB90
            Function 00E2E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(?,?), ref: 00E2E3D2
            • CharLowerBuffW.USER32(?,?), ref: 00E2E415
              • Part of subcall function 00E2DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E2DAD9
            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00E2E615
            • _memmove.LIBCMT ref: 00E2E628
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: BuffCharLower$AllocVirtual_memmove
            • String ID:
            • API String ID: 3659485706-0
            • Opcode ID: e188eee74adc73a1420653ebb7767afaf6f020f7a4cd31e39e6055e7a0b949de
            • Instruction ID: 658196751a86c98a35efbb10fc7e6649835a9a858270e4a1349cc3eeea4ca281
            • Opcode Fuzzy Hash: e188eee74adc73a1420653ebb7767afaf6f020f7a4cd31e39e6055e7a0b949de
            • Instruction Fuzzy Hash: 7DC14C71608321DFC714DF28C48095ABBE4FF89718F14896EF89AAB351D731E945CB92
            Function 00E283A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 00E283D8
            • CoUninitialize.OLE32 ref: 00E283E3
              • Part of subcall function 00E0DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E0DAC5
            • VariantInit.OLEAUT32(?), ref: 00E283EE
            • VariantClear.OLEAUT32(?), ref: 00E286BF
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
            • String ID:
            • API String ID: 780911581-0
            • Opcode ID: 0d4747b23d165a7bc4855cf71a64a2249aa225f1cb74d3f603be41d10c6a3544
            • Instruction ID: 133b42c868a97997fa04f3282a655c1ffa473ec32cef39789b1a8a9714545700
            • Opcode Fuzzy Hash: 0d4747b23d165a7bc4855cf71a64a2249aa225f1cb74d3f603be41d10c6a3544
            • Instruction Fuzzy Hash: 27A13875204751DFCB10DF24D995A5ABBE4FF88314F149449FA9AAB3A2CB30ED04CB62
            Function 00E06DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Variant$AllocClearCopyInitString
            • String ID:
            • API String ID: 2808897238-0
            • Opcode ID: 4eb31ddbc4062b55e0f2c9712ec2e99b1b94c9e2b2bf968ce235b1e6af3dc7ef
            • Instruction ID: 881a956cfb78729bf7a73ffcd6518eaa1b8f46725b6d4fb1ab4e1a2f9db582b6
            • Opcode Fuzzy Hash: 4eb31ddbc4062b55e0f2c9712ec2e99b1b94c9e2b2bf968ce235b1e6af3dc7ef
            • Instruction Fuzzy Hash: EE51A970B043029ADB20AF75D495B69F7E5EF48310F20A81FE5D6EB2D1DB70A8D49B11
            Function 00E39A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(00FCE540,?), ref: 00E39AD2
            • ScreenToClient.USER32(00000002,00000002), ref: 00E39B05
            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00E39B72
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Window$ClientMoveRectScreen
            • String ID:
            • API String ID: 3880355969-0
            • Opcode ID: 0becff191817faf69ed0a9fd3c3d59426ec89316518b4980b4001f314cb99124
            • Instruction ID: 1edb52bdd5267014c9554481c721682210b38492fa4d0fb7cb8e7594702c6672
            • Opcode Fuzzy Hash: 0becff191817faf69ed0a9fd3c3d59426ec89316518b4980b4001f314cb99124
            • Instruction Fuzzy Hash: 9B514C34A00609EFCF14CF68E8859AEBFB5FF44324F148259F815AB2A1D770AD81CB90
            Function 00E26CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000002,00000011), ref: 00E26CE4
            • WSAGetLastError.WSOCK32(00000000), ref: 00E26CF4
              • Part of subcall function 00DB9997: __itow.LIBCMT ref: 00DB99C2
              • Part of subcall function 00DB9997: __swprintf.LIBCMT ref: 00DB9A0C
            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00E26D58
            • WSAGetLastError.WSOCK32(00000000), ref: 00E26D64
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ErrorLast$__itow__swprintfsocket
            • String ID:
            • API String ID: 2214342067-0
            • Opcode ID: c83d512c584ba7c54481afbf41ea336fb4f210a89b876f1d503e81a677dc4b90
            • Instruction ID: 18d4fd86350b4500071a6598102ea0d015711951c705dbfa858d073ac7b5b1b0
            • Opcode Fuzzy Hash: c83d512c584ba7c54481afbf41ea336fb4f210a89b876f1d503e81a677dc4b90
            • Instruction Fuzzy Hash: 6341C374740214EFEB10BF24DC86F7A77E9DB04B14F448518FA1AAF2D2DA719C008BA1
            Function 00E2672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
            Download Yara Rule
            APIs
            • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00E3F910), ref: 00E267BA
            • _strlen.LIBCMT ref: 00E267EC
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _strlen
            • String ID:
            • API String ID: 4218353326-0
            • Opcode ID: 2b42332dd4a05bfe69d515b47d5ee0051441e9cef4a567b35a708f9a2df27835
            • Instruction ID: 710c17995afa23e58d16cda39de3766521ffe30509c0530a8c37fe16e5af82a6
            • Opcode Fuzzy Hash: 2b42332dd4a05bfe69d515b47d5ee0051441e9cef4a567b35a708f9a2df27835
            • Instruction Fuzzy Hash: 4E419531A00114ABCB18EBA4ECD5FEEB7E9EF48314F149265F916A7292DB30AD44C770
            Function 00E1BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
            Download Yara Rule
            APIs
            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00E1BB09
            • GetLastError.KERNEL32(?,00000000), ref: 00E1BB2F
            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00E1BB54
            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00E1BB80
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CreateHardLink$DeleteErrorFileLast
            • String ID:
            • API String ID: 3321077145-0
            • Opcode ID: 1ea9a13a59b52401ab8896e40b0f9922a4be424b2c8cdf16eb6f0c4d58cd0264
            • Instruction ID: 0c47ac155772935c4427982dea244489263b8b10202d3f9cf11354d692df4c24
            • Opcode Fuzzy Hash: 1ea9a13a59b52401ab8896e40b0f9922a4be424b2c8cdf16eb6f0c4d58cd0264
            • Instruction Fuzzy Hash: 1D413639600650DFCF11EF25C594A9DBBE1EF89314B099498F94AAB762CB30FD41CBA1
            Function 00E38AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
            Download Yara Rule
            APIs
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E38B4D
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: InvalidateRect
            • String ID:
            • API String ID: 634782764-0
            • Opcode ID: 09dca374a8243c892f1426f16cfc2025d1dcd7837036dee933dcc0b109b655a0
            • Instruction ID: cfb04d24ca72c692c82fc910bbb1636ebd41ae77277709e82983fee48c3853bc
            • Opcode Fuzzy Hash: 09dca374a8243c892f1426f16cfc2025d1dcd7837036dee933dcc0b109b655a0
            • Instruction Fuzzy Hash: CD31F678600309BFEF248E28CE4DFE9BFA4EB45314F246612F655F62A0CE31AD44C651
            Function 00E3ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
            Download Yara Rule
            APIs
            • ClientToScreen.USER32(?,?), ref: 00E3AE1A
            • GetWindowRect.USER32(?,?), ref: 00E3AE90
            • PtInRect.USER32(?,?,00E3C304), ref: 00E3AEA0
            • MessageBeep.USER32(00000000), ref: 00E3AF11
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Rect$BeepClientMessageScreenWindow
            • String ID:
            • API String ID: 1352109105-0
            • Opcode ID: 50b1c39bf848a1d46722e5d9a279dedb11c747afaa51ecee5db644dff556df0f
            • Instruction ID: 90ca07dc5f4b3f04d7be5a8a0efff5fa2ae308b9dd2fdfb0f80ac5be67d58ab8
            • Opcode Fuzzy Hash: 50b1c39bf848a1d46722e5d9a279dedb11c747afaa51ecee5db644dff556df0f
            • Instruction Fuzzy Hash: E2418070A00119DFDB15CF5AC888AA97FF5FB48344F1C91B9E498AB251D730A8C5CF92
            Function 00E10FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00E11037
            • SetKeyboardState.USER32(00000080,?,00000001), ref: 00E11053
            • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00E110B9
            • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00E1110B
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: b688f57ed502c81dea16fe1163ba5f8e6d088c92a0946100691d8a3ae22fb844
            • Instruction ID: cd5aa180fc5ac54b0b46de8d08e78eae66d31ebd4d20bb766fb55f3b7e21b9b4
            • Opcode Fuzzy Hash: b688f57ed502c81dea16fe1163ba5f8e6d088c92a0946100691d8a3ae22fb844
            • Instruction Fuzzy Hash: 68315A30E44698AEFF308B668C09BFEBBA9AF4D314F04529AE690721D1C3748DC49751
            Function 00E11121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00E11176
            • SetKeyboardState.USER32(00000080,?,00008000), ref: 00E11192
            • PostMessageW.USER32(00000000,00000101,00000000), ref: 00E111F1
            • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00E11243
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: 78604af4f47266963ebe19b11cde539fffb941f65fa7ef056d6269d6eaf9bd77
            • Instruction ID: b66eb3098b39a94cdd0004d770cd3a5d38e55cca3481615518ec5f21b55155c0
            • Opcode Fuzzy Hash: 78604af4f47266963ebe19b11cde539fffb941f65fa7ef056d6269d6eaf9bd77
            • Instruction Fuzzy Hash: 7E314830F4165CBEEF318A658C08BFEBBAAAB49314F04639AE790B21E1D37449D4D751
            Function 00DE6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00DE644B
            • __isleadbyte_l.LIBCMT ref: 00DE6479
            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00DE64A7
            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00DE64DD
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
            • String ID:
            • API String ID: 3058430110-0
            • Opcode ID: acae6e0e8064b57dff9651b1919e3b9f144fff48043962a10819b3baf2081c13
            • Instruction ID: 0b97e46bb0fc2cdd5414d854bec2b59b1975539812bd7104879f9c656aef220a
            • Opcode Fuzzy Hash: acae6e0e8064b57dff9651b1919e3b9f144fff48043962a10819b3baf2081c13
            • Instruction Fuzzy Hash: CC31C13160828AAFDB22AF76C845BBA7FA5FF50390F194469E854871D1D731D850DBB0
            Function 00E35175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32 ref: 00E35189
              • Part of subcall function 00E1387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E13897
              • Part of subcall function 00E1387D: GetCurrentThreadId.KERNEL32 ref: 00E1389E
              • Part of subcall function 00E1387D: AttachThreadInput.USER32(00000000,?,00E152A7), ref: 00E138A5
            • GetCaretPos.USER32(?), ref: 00E3519A
            • ClientToScreen.USER32(00000000,?), ref: 00E351D5
            • GetForegroundWindow.USER32 ref: 00E351DB
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
            • String ID:
            • API String ID: 2759813231-0
            • Opcode ID: a684fedaf08e7664f0f3acb2416d0967a2dcbf88f070fb1b7f9426e11d859ef1
            • Instruction ID: 7d6ed3a902316f506bc590b3dce629c51be2d7b0c904c9a46026b9598bda8d7e
            • Opcode Fuzzy Hash: a684fedaf08e7664f0f3acb2416d0967a2dcbf88f070fb1b7f9426e11d859ef1
            • Instruction Fuzzy Hash: C2311A72900108AFDB00EFA5C8859EFF7F9EF99300F10406AE516F7251EA759E45CBA0
            Function 00E3C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB2612: GetWindowLongW.USER32(?,000000EB), ref: 00DB2623
            • GetCursorPos.USER32(?), ref: 00E3C7C2
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00DEBBFB,?,?,?,?,?), ref: 00E3C7D7
            • GetCursorPos.USER32(?), ref: 00E3C824
            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00DEBBFB,?,?,?), ref: 00E3C85E
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Cursor$LongMenuPopupProcTrackWindow
            • String ID:
            • API String ID: 2864067406-0
            • Opcode ID: bb38fb4ded178303d904d0aa44a90dc903504413f0c72993aa8678335021f715
            • Instruction ID: 3ee56e5d38744da4791e09949f52e83629148e55b6dd69dcbfe1b45f3eccc912
            • Opcode Fuzzy Hash: bb38fb4ded178303d904d0aa44a90dc903504413f0c72993aa8678335021f715
            • Instruction Fuzzy Hash: 13318035600018AFDB19CF59C89CEEA7FB6EB49314F144069F909BB261C731AE54DFA0
            Function 00DD0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
            Download Yara Rule
            APIs
            • __setmode.LIBCMT ref: 00DD0BF2
              • Part of subcall function 00DB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E17B20,?,?,00000000), ref: 00DB5B8C
              • Part of subcall function 00DB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E17B20,?,?,00000000,?,?), ref: 00DB5BB0
            • _fprintf.LIBCMT ref: 00DD0C29
            • OutputDebugStringW.KERNEL32(?), ref: 00E06331
              • Part of subcall function 00DD4CDA: _flsall.LIBCMT ref: 00DD4CF3
            • __setmode.LIBCMT ref: 00DD0C5E
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
            • String ID:
            • API String ID: 521402451-0
            • Opcode ID: 309f11fe5522bad2710d629bd0c900325b09b41d51351082f9811770d0a84701
            • Instruction ID: f89e08c712bf67288f89df682eb9ff9ff33d37647cfe4407125f453b9bc8d3b3
            • Opcode Fuzzy Hash: 309f11fe5522bad2710d629bd0c900325b09b41d51351082f9811770d0a84701
            • Instruction Fuzzy Hash: 01110531904204BBCB04B7B9AC46AFE7B6DDF85320F14015BF109A7292DE30598587B5
            Function 00E08B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E08652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E08669
              • Part of subcall function 00E08652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E08673
              • Part of subcall function 00E08652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E08682
              • Part of subcall function 00E08652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E08689
              • Part of subcall function 00E08652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E0869F
            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00E08BEB
            • _memcmp.LIBCMT ref: 00E08C0E
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E08C44
            • HeapFree.KERNEL32(00000000), ref: 00E08C4B
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
            • String ID:
            • API String ID: 1592001646-0
            • Opcode ID: 6c6e9ac887ea4b92469dd4b0368807d3bd143b4147d23c19e47e5f3c7ac62274
            • Instruction ID: 070a1d7533d34ff7ffe836522c4e13927fc420d8302448da8de1125a69e9ef0b
            • Opcode Fuzzy Hash: 6c6e9ac887ea4b92469dd4b0368807d3bd143b4147d23c19e47e5f3c7ac62274
            • Instruction Fuzzy Hash: 94219F71E01208EFDB00DF94CA88BEEF7B8EF50344F044059E495B7281DB31AA45CB61
            Function 00E21A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
            Download Yara Rule
            APIs
            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E21A97
              • Part of subcall function 00E21B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E21B40
              • Part of subcall function 00E21B21: InternetCloseHandle.WININET(00000000), ref: 00E21BDD
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Internet$CloseConnectHandleOpen
            • String ID:
            • API String ID: 1463438336-0
            • Opcode ID: 5a85a2e1a3b6a086df81e89eaa006a93921a526e76358c37bed0a7806bdc5d6c
            • Instruction ID: 7f3b9467ef8eb5f2a3243f592e3b1e2abdfd86e8d62b3dc4810b62b051cddeba
            • Opcode Fuzzy Hash: 5a85a2e1a3b6a086df81e89eaa006a93921a526e76358c37bed0a7806bdc5d6c
            • Instruction Fuzzy Hash: 8621D131200614BFDB219F60EC05FBABBBDFF64701F14101EFA01A6660EB71DA159BA0
            Function 00E0E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E0F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00E0E1C4,?,?,?,00E0EFB7,00000000,000000EF,00000119,?,?), ref: 00E0F5BC
              • Part of subcall function 00E0F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00E0F5E2
              • Part of subcall function 00E0F5AD: lstrcmpiW.KERNEL32(00000000,?,00E0E1C4,?,?,?,00E0EFB7,00000000,000000EF,00000119,?,?), ref: 00E0F613
            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00E0EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00E0E1DD
            • lstrcpyW.KERNEL32(00000000,?), ref: 00E0E203
            • lstrcmpiW.KERNEL32(00000002,cdecl,?,00E0EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00E0E237
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: lstrcmpilstrcpylstrlen
            • String ID: cdecl
            • API String ID: 4031866154-3896280584
            • Opcode ID: 3c29ec30bb63ee0fa5a64d96159f2e5309bad635d0cfef013475e4f6c2e01bfd
            • Instruction ID: 41ac8e17bad0c48969b12ea50d9f86132662ec13713365a5a911b82a8c49664e
            • Opcode Fuzzy Hash: 3c29ec30bb63ee0fa5a64d96159f2e5309bad635d0cfef013475e4f6c2e01bfd
            • Instruction Fuzzy Hash: 1A118136100345EFCB25AF64DC49D7A7BB8FF85354B40543AE806DB2A0EB71989597A0
            Function 00DE5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00DE5351
              • Part of subcall function 00DD594C: __FF_MSGBANNER.LIBCMT ref: 00DD5963
              • Part of subcall function 00DD594C: __NMSG_WRITE.LIBCMT ref: 00DD596A
              • Part of subcall function 00DD594C: RtlAllocateHeap.NTDLL(00FB0000,00000000,00000001,00000000,?,?,?,00DD1013,?), ref: 00DD598F
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: AllocateHeap_free
            • String ID:
            • API String ID: 614378929-0
            • Opcode ID: 08e78a56697c1bee7c7f4650ed76e654e37a16b608a260ca7bf2ea32e6758179
            • Instruction ID: a95a8a01e980363e08d7365ea249d615e84a140c15d95f7c9a6351d7002ca907
            • Opcode Fuzzy Hash: 08e78a56697c1bee7c7f4650ed76e654e37a16b608a260ca7bf2ea32e6758179
            • Instruction Fuzzy Hash: 9E11E332904A19AFCB223F72BC0565D3B99DF103E4F24042BF946AA2E1DFB1C94197B0
            Function 00DB4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00DB4560
              • Part of subcall function 00DB410D: _memset.LIBCMT ref: 00DB418D
              • Part of subcall function 00DB410D: _wcscpy.LIBCMT ref: 00DB41E1
              • Part of subcall function 00DB410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DB41F1
            • KillTimer.USER32(?,00000001,?,?), ref: 00DB45B5
            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DB45C4
            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DED6CE
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
            • String ID:
            • API String ID: 1378193009-0
            • Opcode ID: c9510868c6735d302697b7cbda7138c056c5c2bee5db047b9720aea4de62a685
            • Instruction ID: ff57d1bb69654c16d62299a2f12ada965cf3d6a046845bf3f3bd61f90ef9ac60
            • Opcode Fuzzy Hash: c9510868c6735d302697b7cbda7138c056c5c2bee5db047b9720aea4de62a685
            • Instruction Fuzzy Hash: FD21AA709047C89FEB32DB25D859BE7BFED9F01308F04009EE69E56242CB745A888B61
            Function 00E2667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E17B20,?,?,00000000), ref: 00DB5B8C
              • Part of subcall function 00DB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E17B20,?,?,00000000,?,?), ref: 00DB5BB0
            • gethostbyname.WSOCK32(?,?,?), ref: 00E266AC
            • WSAGetLastError.WSOCK32(00000000), ref: 00E266B7
            • _memmove.LIBCMT ref: 00E266E4
            • inet_ntoa.WSOCK32(?), ref: 00E266EF
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
            • String ID:
            • API String ID: 1504782959-0
            • Opcode ID: 2340f7c24dfdba818f3b8885b0be6add6f4d8847b1a223d7101554aad01a7f3d
            • Instruction ID: ca4b7078f348cdad17239e14b249bdba7ecf2cc5e7f7de3bb84fb6aad30c366d
            • Opcode Fuzzy Hash: 2340f7c24dfdba818f3b8885b0be6add6f4d8847b1a223d7101554aad01a7f3d
            • Instruction Fuzzy Hash: AB110736900509EFCB04FBA5E996EEEBBB8EF54310B144165F506B72A1DB30AE14CB71
            Function 00E09023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00E09043
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E09055
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E0906B
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E09086
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: e6d996be43e29ef7d4eec65ad67d3619181494256ef518f85feb082323ecd628
            • Instruction ID: 5cf91ea12c4db9a48ce07c90424697502c7e82ec35bcdaf0b2f29b3b5aa04c6f
            • Opcode Fuzzy Hash: e6d996be43e29ef7d4eec65ad67d3619181494256ef518f85feb082323ecd628
            • Instruction Fuzzy Hash: E6115E79900218FFDB10DFA5CD85EADFBB4FB48310F204095E904B7291D6716E50DB90
            Function 00DB1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB2612: GetWindowLongW.USER32(?,000000EB), ref: 00DB2623
            • DefDlgProcW.USER32(?,00000020,?), ref: 00DB12D8
            • GetClientRect.USER32(?,?), ref: 00DEB84B
            • GetCursorPos.USER32(?), ref: 00DEB855
            • ScreenToClient.USER32(?,?), ref: 00DEB860
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Client$CursorLongProcRectScreenWindow
            • String ID:
            • API String ID: 4127811313-0
            • Opcode ID: f9fdeffd4d1a1be1f595ad36013e5115621066aef97f7cd524ada0901cc7570f
            • Instruction ID: fcf853d73db5fb8c43efd310484751aae4db968482d6273eb9a0c1a30e5f3b79
            • Opcode Fuzzy Hash: f9fdeffd4d1a1be1f595ad36013e5115621066aef97f7cd524ada0901cc7570f
            • Instruction Fuzzy Hash: F4112B39900119EFCB04DF95D89A9FE7BB8FB05301F500456F952E7250CB30BA558BB9
            Function 00E11652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E101FD,?,00E11250,?,00008000), ref: 00E1166F
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00E101FD,?,00E11250,?,00008000), ref: 00E11694
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E101FD,?,00E11250,?,00008000), ref: 00E1169E
            • Sleep.KERNEL32(?,?,?,?,?,?,?,00E101FD,?,00E11250,?,00008000), ref: 00E116D1
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CounterPerformanceQuerySleep
            • String ID:
            • API String ID: 2875609808-0
            • Opcode ID: 6f09cfdeda34718392be73c9e0eb745a2bbeb9f978da00668e4ebe1b363ddfe0
            • Instruction ID: 7dd266ce20d452454d89e45689832042b1d6d72f98efb46ed6318f66ce0b91ec
            • Opcode Fuzzy Hash: 6f09cfdeda34718392be73c9e0eb745a2bbeb9f978da00668e4ebe1b363ddfe0
            • Instruction Fuzzy Hash: BC115E31C0151DEBCF009FA6E948AEEBF78FF09751F054099EA81B6240CB3255A4CBE6
            Function 00DE7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
            • String ID:
            • API String ID: 3016257755-0
            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
            • Instruction ID: 61b43b2220cc5ca3b9f91e7a12bb4cb7ef42fe8b057597afa64582be0933081a
            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
            • Instruction Fuzzy Hash: C501803204418ABBCF926E85DC018EE3F22BF19344B088515FB1858031C237C9B1ABA5
            Function 00E3B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 00E3B59E
            • ScreenToClient.USER32(?,?), ref: 00E3B5B6
            • ScreenToClient.USER32(?,?), ref: 00E3B5DA
            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E3B5F5
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ClientRectScreen$InvalidateWindow
            • String ID:
            • API String ID: 357397906-0
            • Opcode ID: 1d47292fef46f66a49fe161ea3e8ed6a34caa89acc15607f9ee0165b9c20b0f3
            • Instruction ID: c71b833e5c5cbf3dc40b11b3193b54c6e83bcbfb26bcc81c86a4a02ab52a1ebf
            • Opcode Fuzzy Hash: 1d47292fef46f66a49fe161ea3e8ed6a34caa89acc15607f9ee0165b9c20b0f3
            • Instruction Fuzzy Hash: 011132B9D0020DEFDB41CFA9C8859EEBBB9FF08310F108166E915E2220D735AA558F91
            Function 00E3B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00E3B8FE
            • _memset.LIBCMT ref: 00E3B90D
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E77F20,00E77F64), ref: 00E3B93C
            • CloseHandle.KERNEL32 ref: 00E3B94E
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _memset$CloseCreateHandleProcess
            • String ID:
            • API String ID: 3277943733-0
            • Opcode ID: b787c98b1956d9317d9f8db201b123e3c3a92017730d5ccbb78ba4615dfeac70
            • Instruction ID: 1b84fb92b07f76697ccb3a6fb78892603f95f376499086c55a649abcbca398f7
            • Opcode Fuzzy Hash: b787c98b1956d9317d9f8db201b123e3c3a92017730d5ccbb78ba4615dfeac70
            • Instruction Fuzzy Hash: D0F05EB2648304BFE2106B62AD0AFBB3A5CEB08355F005021FB4CF6292D771494487B9
            Function 00E16E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(?), ref: 00E16E88
              • Part of subcall function 00E1794E: _memset.LIBCMT ref: 00E17983
            • _memmove.LIBCMT ref: 00E16EAB
            • _memset.LIBCMT ref: 00E16EB8
            • LeaveCriticalSection.KERNEL32(?), ref: 00E16EC8
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CriticalSection_memset$EnterLeave_memmove
            • String ID:
            • API String ID: 48991266-0
            • Opcode ID: 5269aea4874c69c78b49e2c1509082d9492ee8c2c6831a7e08bc04f4ca54d7b7
            • Instruction ID: f407d23869c421914ee7f0a8f7e0481439f4822948a6780ad9f9f15f279307fa
            • Opcode Fuzzy Hash: 5269aea4874c69c78b49e2c1509082d9492ee8c2c6831a7e08bc04f4ca54d7b7
            • Instruction Fuzzy Hash: 1FF0543A504204BBCF016F55DC85E9ABB69EF49320B04C061FE096E226C771E955CBB5
            Function 00E3C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DB134D
              • Part of subcall function 00DB12F3: SelectObject.GDI32(?,00000000), ref: 00DB135C
              • Part of subcall function 00DB12F3: BeginPath.GDI32(?), ref: 00DB1373
              • Part of subcall function 00DB12F3: SelectObject.GDI32(?,00000000), ref: 00DB139C
            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E3C030
            • LineTo.GDI32(00000000,?,?), ref: 00E3C03D
            • EndPath.GDI32(00000000), ref: 00E3C04D
            • StrokePath.GDI32(00000000), ref: 00E3C05B
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
            • String ID:
            • API String ID: 1539411459-0
            • Opcode ID: acd9bac7010808488e61a044eaad10a5bd6a6285dfc130b569244148f2c9b5b7
            • Instruction ID: e5b543e6e54ed7d487e82dc1b60857d1ecf00325fcbd13d2a8e443d0e27a5abf
            • Opcode Fuzzy Hash: acd9bac7010808488e61a044eaad10a5bd6a6285dfc130b569244148f2c9b5b7
            • Instruction Fuzzy Hash: 31F09A31401259FADB166F56AC0EFCA3F98AF05314F144000FA11310E287655668CFA5
            Function 00E0A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
            Download Yara Rule
            APIs
            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00E0A399
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00E0A3AC
            • GetCurrentThreadId.KERNEL32 ref: 00E0A3B3
            • AttachThreadInput.USER32(00000000), ref: 00E0A3BA
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
            • String ID:
            • API String ID: 2710830443-0
            • Opcode ID: 8a6998f2c124ac3f4979826e372a57ca0c3a0d7ef8386124c09cd82abb1bc531
            • Instruction ID: 9c05a80b5511196d3dcae643a415f1c1bef881aadc4f67c544c275d02a373b6c
            • Opcode Fuzzy Hash: 8a6998f2c124ac3f4979826e372a57ca0c3a0d7ef8386124c09cd82abb1bc531
            • Instruction Fuzzy Hash: B9E0A57194532CBADB205FA2DC0DEEB7E5CEF267A1F048035F509A50A0C675C5849BE1
            Function 00DB2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000008), ref: 00DB2231
            • SetTextColor.GDI32(?,000000FF), ref: 00DB223B
            • SetBkMode.GDI32(?,00000001), ref: 00DB2250
            • GetStockObject.GDI32(00000005), ref: 00DB2258
            • GetWindowDC.USER32(?,00000000), ref: 00DEC0D3
            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00DEC0E0
            • GetPixel.GDI32(00000000,?,00000000), ref: 00DEC0F9
            • GetPixel.GDI32(00000000,00000000,?), ref: 00DEC112
            • GetPixel.GDI32(00000000,?,?), ref: 00DEC132
            • ReleaseDC.USER32(?,00000000), ref: 00DEC13D
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
            • String ID:
            • API String ID: 1946975507-0
            • Opcode ID: bc1812e51a0169f7041ec2da504db93272f781c64475a6708c44d21c2ed2e86e
            • Instruction ID: 508570743d6e33110c53294c6d6e542cb79fef4e3dedeba00fd177733fbe49d9
            • Opcode Fuzzy Hash: bc1812e51a0169f7041ec2da504db93272f781c64475a6708c44d21c2ed2e86e
            • Instruction Fuzzy Hash: A7E06D32900288FEDF215FA6FC0DBD83F10EB05332F048366FA69A80E287714985DB21
            Function 00E08C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThread.KERNEL32 ref: 00E08C63
            • OpenThreadToken.ADVAPI32(00000000,?,?,?,00E0882E), ref: 00E08C6A
            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00E0882E), ref: 00E08C77
            • OpenProcessToken.ADVAPI32(00000000,?,?,?,00E0882E), ref: 00E08C7E
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CurrentOpenProcessThreadToken
            • String ID:
            • API String ID: 3974789173-0
            • Opcode ID: aa16cf04ab82e17947d996e04f99a50f9294d5666fcffd0b6fca5db7ae196772
            • Instruction ID: 021ccaed20dd4b90958c003e9c3501ce0d506cead3efd625b2a39830e897ddea
            • Opcode Fuzzy Hash: aa16cf04ab82e17947d996e04f99a50f9294d5666fcffd0b6fca5db7ae196772
            • Instruction Fuzzy Hash: 72E08636A42225DFE7205FB66E0CB577FBCEF50796F054829F285E9090DA348489CF61
            Function 00DF2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 00DF2187
            • GetDC.USER32(00000000), ref: 00DF2191
            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DF21B1
            • ReleaseDC.USER32(?), ref: 00DF21D2
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: 1db1429b00690cf8ab974356dea21a3e5c736de35d9bafef4ab64c0949a1d502
            • Instruction ID: b47e1ad6d55afabc65ed01d3d965ee641eaddc554e761ca9f925535dc13560c7
            • Opcode Fuzzy Hash: 1db1429b00690cf8ab974356dea21a3e5c736de35d9bafef4ab64c0949a1d502
            • Instruction Fuzzy Hash: 61E0E575800208EFDB019FA1C80DAADBFF1EB4C350F118425F95AA7220CB7881459F90
            Function 00DF219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 00DF219B
            • GetDC.USER32(00000000), ref: 00DF21A5
            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DF21B1
            • ReleaseDC.USER32(?), ref: 00DF21D2
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: e67058f60765f64bf71c7a79c78348274a0d13490766e4fa45b9aad1a68fffe6
            • Instruction ID: e417f29245f2777c8c34b6bf122bd941ba4808f957d00abb70801d25fbbcfe6c
            • Opcode Fuzzy Hash: e67058f60765f64bf71c7a79c78348274a0d13490766e4fa45b9aad1a68fffe6
            • Instruction Fuzzy Hash: A4E0EEB5C00208EFCB019FA2C80DA9DBFE1EB4C310F108029F95AA7220CB7891459F90
            Function 00DB63A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID:
            • String ID: %
            • API String ID: 0-2291192146
            • Opcode ID: 49ef516d1b0dc094e01223dd133aa5287fb76e848bf17fab446ae1a634a17943
            • Instruction ID: d7fd99efd9f08839e253d6fa9795a3a733d9fe66dc7959abc1378b81b39e0238
            • Opcode Fuzzy Hash: 49ef516d1b0dc094e01223dd133aa5287fb76e848bf17fab446ae1a634a17943
            • Instruction Fuzzy Hash: 67B18D75904209DBCF24EF98C481AFEBBB4EF44310F544026E947A7295EA38DE95CBB1
            Function 00E2B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: __itow_s
            • String ID: xr$xr
            • API String ID: 3653519197-2528877900
            • Opcode ID: 001c9f88ae3a6640c7826f8977994124dbf3d36f074ac876543d75874aa2eb53
            • Instruction ID: 23ac8503663f88b55ae8d823fbaeca1285c7ee5065658802b52faf33a0d508e5
            • Opcode Fuzzy Hash: 001c9f88ae3a6640c7826f8977994124dbf3d36f074ac876543d75874aa2eb53
            • Instruction Fuzzy Hash: BCB1AF71A00219EFCB14EF54D891EEEB7B9FF58300F149459F946AB252EB70E981CB60
            Function 00E1B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DCFEC6: _wcscpy.LIBCMT ref: 00DCFEE9
              • Part of subcall function 00DB9997: __itow.LIBCMT ref: 00DB99C2
              • Part of subcall function 00DB9997: __swprintf.LIBCMT ref: 00DB9A0C
            • __wcsnicmp.LIBCMT ref: 00E1B298
            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00E1B361
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
            • String ID: LPT
            • API String ID: 3222508074-1350329615
            • Opcode ID: 82f44be88b1f909e57aab4da6f75668ab885cd16010e82de3fbd59dfbe9a55f4
            • Instruction ID: 690d3d6f3243d1bbfe22d1969579358e8a5e865029e8fa2adec942d54c45decf
            • Opcode Fuzzy Hash: 82f44be88b1f909e57aab4da6f75668ab885cd16010e82de3fbd59dfbe9a55f4
            • Instruction Fuzzy Hash: AC616075A00215EFCB14EF94C895EEEB7B4EF08310F11506AF556BB2A1DB70AE84CB60
            Function 00DC2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNEL32(00000000), ref: 00DC2AC8
            • GlobalMemoryStatusEx.KERNEL32(?), ref: 00DC2AE1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: GlobalMemorySleepStatus
            • String ID: @
            • API String ID: 2783356886-2766056989
            • Opcode ID: 401e1c7029b41c5f4f938072e9ec8783625d28a1d527a5a05b90d408206a67c0
            • Instruction ID: e077850352c330eac4a208e6f104e6fb9039dad5ef191dce5fc8e5415558894a
            • Opcode Fuzzy Hash: 401e1c7029b41c5f4f938072e9ec8783625d28a1d527a5a05b90d408206a67c0
            • Instruction Fuzzy Hash: B6515872418784DBD320AF10D896BABBBF8FF85314F42485DF2DA511A1DB308569CB26
            Function 00E199BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB506B: __fread_nolock.LIBCMT ref: 00DB5089
            • _wcscmp.LIBCMT ref: 00E19AAE
            • _wcscmp.LIBCMT ref: 00E19AC1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: _wcscmp$__fread_nolock
            • String ID: FILE
            • API String ID: 4029003684-3121273764
            • Opcode ID: 38627a8ba750cdae1ff98a3d8f6a614b808c7278ea434537f4b769e60eb8ed3f
            • Instruction ID: 305cc4735f80d1960bce472d525e8823cb7f0f2b31ef4aaabd69da6691ec02c7
            • Opcode Fuzzy Hash: 38627a8ba750cdae1ff98a3d8f6a614b808c7278ea434537f4b769e60eb8ed3f
            • Instruction Fuzzy Hash: 1F41F771A00609BADF20AAA0DC46FEFBBFDDF45714F00007AFA01B7185DA75AA4487B1
            Function 00DF099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ClearVariant
            • String ID: Dt$Dt
            • API String ID: 1473721057-4168040075
            • Opcode ID: 8aba312a8eb60ef5f4cfe0b9473e41cb8b0c6089b387a67ea562d56a59d4f887
            • Instruction ID: 8d383924d27fe99d6165bbabcff8d98cdaa76f4dd0117cdb36cec0cbb43e95a2
            • Opcode Fuzzy Hash: 8aba312a8eb60ef5f4cfe0b9473e41cb8b0c6089b387a67ea562d56a59d4f887
            • Instruction Fuzzy Hash: 0F510574608341DFC754CF19C480A6ABBF1BB99344F58885DE9968B321E731EC85CF62
            Function 00E22882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00E22892
            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00E228C8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CrackInternet_memset
            • String ID: |
            • API String ID: 1413715105-2343686810
            • Opcode ID: 8b639eb1c252e7fe5361e863e6730b3f50ac04eb4ad6f59b51465400ac8e19fc
            • Instruction ID: 4f38ada1f7f5110345ee4d778b753e859961b133c804f4e4e9797a6b9718bd1f
            • Opcode Fuzzy Hash: 8b639eb1c252e7fe5361e863e6730b3f50ac04eb4ad6f59b51465400ac8e19fc
            • Instruction Fuzzy Hash: 88310571800119AFCF11AFA1DC85EEEBFB9FF48300F104029E915A6266DA315A56DBB0
            Function 00E36CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?,?,?), ref: 00E36D86
            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00E36DC2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Window$DestroyMove
            • String ID: static
            • API String ID: 2139405536-2160076837
            • Opcode ID: effb87b5be17830cd396b655d154f3fa22b019018a504b24aaf05057bf90e322
            • Instruction ID: 8484ac40c3ed984598d3921f8e1e8dcfe27a9ca22f292211da7da38e73b209d1
            • Opcode Fuzzy Hash: effb87b5be17830cd396b655d154f3fa22b019018a504b24aaf05057bf90e322
            • Instruction Fuzzy Hash: 35319071200604AEDB109F74CC44AFB7BB8FF88724F509519F996A7190CA31AC91CB60
            Function 00E12D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00E12E00
            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E12E3B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: InfoItemMenu_memset
            • String ID: 0
            • API String ID: 2223754486-4108050209
            • Opcode ID: 108d2a110893f08ba8b87464d25e4b84dffb7e0e3dba21612111f72c4251d895
            • Instruction ID: 1b50aab3f4f4935842f45ad68899bb71ea0c2fa88a4702dfc002808f78a8bc5f
            • Opcode Fuzzy Hash: 108d2a110893f08ba8b87464d25e4b84dffb7e0e3dba21612111f72c4251d895
            • Instruction Fuzzy Hash: 5131C531A00309ABEF268F58DC45BEEBBB5EF05354F14502EEA86B61A0E77099D4CB50
            Function 00E36943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E369D0
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E369DB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: Combobox
            • API String ID: 3850602802-2096851135
            • Opcode ID: df42529e513e53c4c741f1e7c981447d2f8bbfcc4263f05390d6c3897ef5a940
            • Instruction ID: 96a342e316baafab0730ec8424ad9dad74eadbc5d86e66dba687777a30547809
            • Opcode Fuzzy Hash: df42529e513e53c4c741f1e7c981447d2f8bbfcc4263f05390d6c3897ef5a940
            • Instruction Fuzzy Hash: A411B6716002087FEF159E24CC94FFB3F6AEB993A8F115125F958AB290D6719C51C7A0
            Function 00E36E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DB1D73
              • Part of subcall function 00DB1D35: GetStockObject.GDI32(00000011), ref: 00DB1D87
              • Part of subcall function 00DB1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DB1D91
            • GetWindowRect.USER32(00000000,?), ref: 00E36EE0
            • GetSysColor.USER32(00000012), ref: 00E36EFA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Window$ColorCreateMessageObjectRectSendStock
            • String ID: static
            • API String ID: 1983116058-2160076837
            • Opcode ID: 93639377d24e325c51f2077db985bdd78de914963776e08d29d6263988b34b7d
            • Instruction ID: f93b63b3acc32ba7ce3ad9808384fcc7098605253dcc290baa6fba423bc344c7
            • Opcode Fuzzy Hash: 93639377d24e325c51f2077db985bdd78de914963776e08d29d6263988b34b7d
            • Instruction Fuzzy Hash: 2C211772A1020AAFDB04DFB8DD49AEA7BB8EB08314F015629F955E2250D634A865DB60
            Function 00E36B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
            Download Yara Rule
            APIs
            • GetWindowTextLengthW.USER32(00000000), ref: 00E36C11
            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00E36C20
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: LengthMessageSendTextWindow
            • String ID: edit
            • API String ID: 2978978980-2167791130
            • Opcode ID: a39f40703b070b7ca96d959629ab35479f65b362db6d4f63270781d8ed93e68b
            • Instruction ID: d5d65b05124c27e7ddda745ad4dd3d960102988f2f54b04a90afb303232cff3f
            • Opcode Fuzzy Hash: a39f40703b070b7ca96d959629ab35479f65b362db6d4f63270781d8ed93e68b
            • Instruction Fuzzy Hash: 8D119A71500208BFEB108E74DC49AEA7FA9EB04368F20A724F965E31E0C735DC90DB60
            Function 00E12E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00E12F11
            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00E12F30
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: InfoItemMenu_memset
            • String ID: 0
            • API String ID: 2223754486-4108050209
            • Opcode ID: 005e5cb2ac963a8e5cc787f743c98f37a367979d2735acbfc149e0eb2f917735
            • Instruction ID: 3caf8e604dc6a237e104b2d0da9d80fdfb82aba83b2d95bf02bab735ce5af59f
            • Opcode Fuzzy Hash: 005e5cb2ac963a8e5cc787f743c98f37a367979d2735acbfc149e0eb2f917735
            • Instruction Fuzzy Hash: 5C112635E00214ABDB31DB58DC04BD977B9EB09308F0410A9EA14B72A0D770ED99C791
            Function 00E224CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00E22520
            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00E22549
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Internet$OpenOption
            • String ID: <local>
            • API String ID: 942729171-4266983199
            • Opcode ID: 161daec1fae8f4a56a5163af327c4b97057d9c764e7bdf318b49796724364058
            • Instruction ID: c2ef3dc47be3a7dde5d37ab6d5355300f87ad5b4090b6f8993d451ddbf74dab6
            • Opcode Fuzzy Hash: 161daec1fae8f4a56a5163af327c4b97057d9c764e7bdf318b49796724364058
            • Instruction Fuzzy Hash: 7D11E070580235BEDB249F61AC99EFBFF68FB06355F10912EFA0566040D6706944DAE1
            Function 00E280A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E2830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00E280C8,?,00000000,?,?), ref: 00E28322
            • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E280CB
            • htons.WSOCK32(00000000,?,00000000), ref: 00E28108
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ByteCharMultiWidehtonsinet_addr
            • String ID: 255.255.255.255
            • API String ID: 2496851823-2422070025
            • Opcode ID: 67c707b8e204c510c0c1123c6b6d7e997131edf4fbb002d4b7998f378760cc48
            • Instruction ID: 589a5342cd8b586a7f28203f869ae2c1dab0428ca901d53b2418b9078a301f6c
            • Opcode Fuzzy Hash: 67c707b8e204c510c0c1123c6b6d7e997131edf4fbb002d4b7998f378760cc48
            • Instruction Fuzzy Hash: DD112130600219ABDB20AF64EC46FEEB774FF50320F108527E911B72D1DB32A815C7A1
            Function 00DC0A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
            Download Yara Rule
            APIs
            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00DB3C26,00E762F8,?,?,?), ref: 00DC0ACE
              • Part of subcall function 00DB7D2C: _memmove.LIBCMT ref: 00DB7D66
            • _wcscat.LIBCMT ref: 00DF50E1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: FullNamePath_memmove_wcscat
            • String ID: c
            • API String ID: 257928180-921687731
            • Opcode ID: 2cbab6fa3a0c8462395f219479f249f05b25826c0f0b659b8aa7c97d574930da
            • Instruction ID: be63b4695a2c65158214c75aadf6267bf978041308038d0be4f2fa0b9aaf345c
            • Opcode Fuzzy Hash: 2cbab6fa3a0c8462395f219479f249f05b25826c0f0b659b8aa7c97d574930da
            • Instruction Fuzzy Hash: 3A11653590421DEB8B41EB64DC42FDD77B9EF48354B0040A9B99DE7291EA70DA889B31
            Function 00E092E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB7F41: _memmove.LIBCMT ref: 00DB7F82
              • Part of subcall function 00E0B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E0B0E7
            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00E09355
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ClassMessageNameSend_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 372448540-1403004172
            • Opcode ID: f1fd2fc2b88603c2bd2aa874e68ab21bac31202d8c2a396e9c95f6f517c82529
            • Instruction ID: 2a3ee264534ac5be9114ccb6b3b4d33e8beefa44813fdba51bad03b759a89d5e
            • Opcode Fuzzy Hash: f1fd2fc2b88603c2bd2aa874e68ab21bac31202d8c2a396e9c95f6f517c82529
            • Instruction Fuzzy Hash: 30018C71A45219ABCB04AFA4CC928FE77ADFF46320B141619F822772D2DA3569488A60
            Function 00E091DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB7F41: _memmove.LIBCMT ref: 00DB7F82
              • Part of subcall function 00E0B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E0B0E7
            • SendMessageW.USER32(?,00000180,00000000,?), ref: 00E0924D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ClassMessageNameSend_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 372448540-1403004172
            • Opcode ID: 83df19e61639775bfc130c2f4d0ab551e8c2311ad1bd128f4b10754f8787c083
            • Instruction ID: 52eb667d1b3a4069f36888cf2f7ffb3f8b0aebe4ebeba900bdfa7821d380cfc2
            • Opcode Fuzzy Hash: 83df19e61639775bfc130c2f4d0ab551e8c2311ad1bd128f4b10754f8787c083
            • Instruction Fuzzy Hash: 3F018471A41208BBCB04EBA0D992EFF77ACEF45340F141119B913772D3EA216E4C96B1
            Function 00E09264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DB7F41: _memmove.LIBCMT ref: 00DB7F82
              • Part of subcall function 00E0B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E0B0E7
            • SendMessageW.USER32(?,00000182,?,00000000), ref: 00E092D0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ClassMessageNameSend_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 372448540-1403004172
            • Opcode ID: 9f6ede590507b1f729b3f08e2d026d13beb8204f60f8aee1eb88fa0bd71257ac
            • Instruction ID: ffc49ba8f8ade57584b37e197972f8b2b7b9a672c35465bbf692d6bb035171a7
            • Opcode Fuzzy Hash: 9f6ede590507b1f729b3f08e2d026d13beb8204f60f8aee1eb88fa0bd71257ac
            • Instruction Fuzzy Hash: C301A271A81208BBCB04EBA0D992EFF77ACEF15340F242115B853732D3DA215E4C9275
            Function 00DD6DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: __calloc_crt
            • String ID: @R
            • API String ID: 3494438863-2347139750
            • Opcode ID: 19df63f6ad182dd363e0ca1c29b88de031592d0a9810f67d9b5fdb73aeff4fa5
            • Instruction ID: 75d356fef272f302466778961efd5eb31e5f1cd36837046aa1756f8310176ed7
            • Opcode Fuzzy Hash: 19df63f6ad182dd363e0ca1c29b88de031592d0a9810f67d9b5fdb73aeff4fa5
            • Instruction Fuzzy Hash: 7AF06271348A56DFF764CF2ABD116653B96EB44724B154427F108EA3A2EB30CCCA96F0
            Function 00E151CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: ClassName_wcscmp
            • String ID: #32770
            • API String ID: 2292705959-463685578
            • Opcode ID: e4a833d5db0b916653c853e52366a526b1b13072767951b3a55919afde9c00e4
            • Instruction ID: 34d65d8f9704133bca601501ca2f91cc674a0abaed5aad23a2cf69de5b624560
            • Opcode Fuzzy Hash: e4a833d5db0b916653c853e52366a526b1b13072767951b3a55919afde9c00e4
            • Instruction Fuzzy Hash: ABE02B3390032C2BD7109795AC09A97F7ACEB40761F000067F914E3050E56099448BE1
            Function 00E081BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
            Download Yara Rule
            APIs
            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00E081CA
              • Part of subcall function 00DD3598: _doexit.LIBCMT ref: 00DD35A2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: Message_doexit
            • String ID: AutoIt$Error allocating memory.
            • API String ID: 1993061046-4017498283
            • Opcode ID: 35e76ef494f3870b80806e50313cba05d84b0fe3255dffea13baec5adc423982
            • Instruction ID: 91bb3be9af26c1c833a14b461240c933ead732c04ac40ce34890ee775662505d
            • Opcode Fuzzy Hash: 35e76ef494f3870b80806e50313cba05d84b0fe3255dffea13baec5adc423982
            • Instruction Fuzzy Hash: E2D05B323C531836D21432A57D0BFC57A48CF15B56F005056FB08755D38DD299C142F9
            Function 00DEB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00DEB564: _memset.LIBCMT ref: 00DEB571
              • Part of subcall function 00DD0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00DEB540,?,?,?,00DB100A), ref: 00DD0B89
            • IsDebuggerPresent.KERNEL32(?,?,?,00DB100A), ref: 00DEB544
            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00DB100A), ref: 00DEB553
            Strings
            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00DEB54E
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
            • API String ID: 3158253471-631824599
            • Opcode ID: 92b2c8dc471d0e9669f9780a4589a6a9286501cb34e5ec9dbea05e03b3291a63
            • Instruction ID: f7b2f666b64504ae30bbad7ac2d80fdff8c2c775fa5f6adaf2d6910b23699ecf
            • Opcode Fuzzy Hash: 92b2c8dc471d0e9669f9780a4589a6a9286501cb34e5ec9dbea05e03b3291a63
            • Instruction Fuzzy Hash: C0E06D70600755CFD721EF2AD5093437BE0AB04715F04892EE886D2761EBB4E448CB71
            Function 00E35BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
            Download Yara Rule
            APIs
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E35BF5
            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00E35C08
              • Part of subcall function 00E154E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E1555E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2103545536.0000000000DB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DB0000, based on PE: true
            • Associated: 00000000.00000002.2103534640.0000000000DB0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E3F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103580373.0000000000E65000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103609603.0000000000E6F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2103621893.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_db0000_New Quotation - FE7191PO154.jbxd
            Similarity
            • API ID: FindMessagePostSleepWindow
            • String ID: Shell_TrayWnd
            • API String ID: 529655941-2988720461
            • Opcode ID: f1ce7eeb9f1b9803587b7af3bee0c2eeab7f9a403a91fe172619899e57b7751b
            • Instruction ID: 2666d4452d5d985a37c402767f3ecc1a2804152d5f6ba5a07629130ba83ccc49
            • Opcode Fuzzy Hash: f1ce7eeb9f1b9803587b7af3bee0c2eeab7f9a403a91fe172619899e57b7751b
            • Instruction Fuzzy Hash: F8D0A932B88300BAE334AB30AC0FFD32A10AB40B40F000834B216BA0E0C8E45800C640