Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EKSTRE_1022.exe

Overview

General Information

Sample name:EKSTRE_1022.exe
Analysis ID:1559971
MD5:3503285c5dcb5ddf134d7617366cf050
SHA1:277773b0e3c13989a52ca37963f7e342fa1a0be8
SHA256:077dc59cc8a2b17c1c2f17f0620368fe3b252c881cdb600aee54662d2699351c
Tags:exeuser-lowmal3
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AgentTesla
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
OS version to string mapping found (often used in BOTs)
One or more processes crash
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • EKSTRE_1022.exe (PID: 1896 cmdline: "C:\Users\user\Desktop\EKSTRE_1022.exe" MD5: 3503285C5DCB5DDF134D7617366CF050)
    • pteropod.exe (PID: 5524 cmdline: "C:\Users\user\Desktop\EKSTRE_1022.exe" MD5: 3503285C5DCB5DDF134D7617366CF050)
      • RegSvcs.exe (PID: 2748 cmdline: "C:\Users\user\Desktop\EKSTRE_1022.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 6300 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • pteropod.exe (PID: 320 cmdline: "C:\Users\user\AppData\Local\ageless\pteropod.exe" MD5: 3503285C5DCB5DDF134D7617366CF050)
      • RegSvcs.exe (PID: 736 cmdline: "C:\Users\user\AppData\Local\ageless\pteropod.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
        • WerFault.exe (PID: 1272 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 12 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "zqamcx.com", "Username": "sender@zqamcx.com", "Password": "Methodman991"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2085926396.0000000004130000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.2085926396.0000000004130000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.2085926396.0000000004130000.00000004.00001000.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
      • 0x35005:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
      • 0x35077:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
      • 0x35101:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
      • 0x35193:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
      • 0x351fd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
      • 0x3526f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
      • 0x35305:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
      • 0x35395:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
      00000005.00000002.2225418640.0000000001030000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000005.00000002.2225418640.0000000001030000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Click to see the 13 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.pteropod.exe.1030000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            5.2.pteropod.exe.1030000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.pteropod.exe.1030000.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
              • 0x33205:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
              • 0x33277:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
              • 0x33301:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
              • 0x33393:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
              • 0x333fd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
              • 0x3346f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
              • 0x33505:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
              • 0x33595:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
              3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  Click to see the 10 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs" , ProcessId: 6300, ProcessName: wscript.exe
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 78.110.166.82, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 2748, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs" , ProcessId: 6300, ProcessName: wscript.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\ageless\pteropod.exe, ProcessId: 5524, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 5.2.pteropod.exe.1030000.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "zqamcx.com", "Username": "sender@zqamcx.com", "Password": "Methodman991"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeReversingLabs: Detection: 34%
                  Multi AV Scanner detection for submitted file
                  Source: EKSTRE_1022.exeReversingLabs: Detection: 34%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: EKSTRE_1022.exeJoe Sandbox ML: detected
                  Source: EKSTRE_1022.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: Binary string: wntdll.pdbUGP source: pteropod.exe, 00000002.00000003.2082031247.0000000004170000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000002.00000003.2083926282.0000000004360000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.2223531243.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.2223231909.0000000003A80000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: pteropod.exe, 00000002.00000003.2082031247.0000000004170000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000002.00000003.2083926282.0000000004360000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.2223531243.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.2223231909.0000000003A80000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002A6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_002A6CA9
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002A60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_002A60DD
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002A63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_002A63F9
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002AEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002AEB60
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002AF56F FindFirstFileW,FindClose,0_2_002AF56F
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002AF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_002AF5FA
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002B1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002B1B2F
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002B1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002B1C8A
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002B1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002B1F94
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AB6CA9 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00AB6CA9
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AB60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,2_2_00AB60DD
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AB63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,2_2_00AB63F9
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00ABEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00ABEB60
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00ABF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00ABF5FA
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00ABF56F FindFirstFileW,FindClose,2_2_00ABF56F
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AC1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00AC1B2F
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AC1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00AC1C8A
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AC1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00AC1F94
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.5:49704 -> 78.110.166.82:587
                  Source: Joe Sandbox ViewIP Address: 78.110.166.82 78.110.166.82
                  Source: global trafficTCP traffic: 192.168.2.5:49704 -> 78.110.166.82:587
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002B4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_002B4EB5
                  Source: global trafficDNS traffic detected: DNS query: zqamcx.com
                  Source: RegSvcs.exe, 00000003.00000002.4511121854.00000000064D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.i.lenc
                  Source: RegSvcs.exe, 00000003.00000002.4508762505.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4508762505.0000000003208000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4511121854.00000000064D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.i.lencr.org/0#
                  Source: RegSvcs.exe, 00000003.00000002.4508762505.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4508762505.0000000003208000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4511121854.00000000064D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.o.lencr.org0#
                  Source: RegSvcs.exe, 00000003.00000002.4508762505.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4508762505.0000000003208000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4511121854.00000000064D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                  Source: RegSvcs.exe, 00000003.00000002.4508762505.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4508762505.0000000003208000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4511121854.00000000064D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                  Source: RegSvcs.exe, 00000003.00000002.4508762505.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4508762505.0000000003208000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://zqamcx.com
                  Source: pteropod.exe, 00000002.00000002.2085926396.0000000004130000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4507142862.0000000000402000.00000040.80000000.00040000.00000000.sdmp, pteropod.exe, 00000005.00000002.2225418640.0000000001030000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 2.2.pteropod.exe.4130000.1.raw.unpack, O9KGcRw9bkp.cs.Net Code: KAZ
                  Source: 5.2.pteropod.exe.1030000.1.raw.unpack, O9KGcRw9bkp.cs.Net Code: KAZ
                  Installs a global keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002B6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_002B6B0C
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002B6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_002B6D07
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AC6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00AC6D07
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002B6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_002B6B0C
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002A2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_002A2B37
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002CF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_002CF7FF
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00ADF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00ADF7FF

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 5.2.pteropod.exe.1030000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 5.2.pteropod.exe.1030000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 2.2.pteropod.exe.4130000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 2.2.pteropod.exe.4130000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000002.00000002.2085926396.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000005.00000002.2225418640.0000000001030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: This is a third-party compiled AutoIt script.0_2_00263D19
                  Source: EKSTRE_1022.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: EKSTRE_1022.exe, 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a6a92aac-2
                  Source: EKSTRE_1022.exe, 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: )SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_2330edc1-9
                  Source: EKSTRE_1022.exe, 00000000.00000003.2062201560.0000000003A7D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_712420f4-1
                  Source: EKSTRE_1022.exe, 00000000.00000003.2062201560.0000000003A7D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_13915c03-7
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: This is a third-party compiled AutoIt script.2_2_00A73D19
                  Source: pteropod.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: pteropod.exe, 00000002.00000002.2084777705.0000000000B1E000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_633a2f05-c
                  Source: pteropod.exe, 00000002.00000002.2084777705.0000000000B1E000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_28499bdd-a
                  Source: pteropod.exe, 00000005.00000000.2198511784.0000000000B1E000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3f5ca10e-1
                  Source: pteropod.exe, 00000005.00000000.2198511784.0000000000B1E000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3a26fbca-8
                  Source: EKSTRE_1022.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6b161366-0
                  Source: EKSTRE_1022.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_58722d25-f
                  Source: pteropod.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_dae2da6e-0
                  Source: pteropod.exe.0.drString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_e655a4dc-6
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002A6606: CreateFileW,DeviceIoControl,CloseHandle,0_2_002A6606
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0029ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_0029ACC5
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002A79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_002A79D3
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AB79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_00AB79D3
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0028B0430_2_0028B043
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002732000_2_00273200
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_00273B700_2_00273B70
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0029410F0_2_0029410F
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002802A40_2_002802A4
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0026E3B00_2_0026E3B0
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0029038E0_2_0029038E
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0029467F0_2_0029467F
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002806D90_2_002806D9
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002CAACE0_2_002CAACE
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_00294BEF0_2_00294BEF
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0028CCC10_2_0028CCC1
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_00266F070_2_00266F07
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0026AF500_2_0026AF50
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0027B11F0_2_0027B11F
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002C31BC0_2_002C31BC
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0028D1B90_2_0028D1B9
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0028123A0_2_0028123A
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0029724D0_2_0029724D
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002693F00_2_002693F0
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002A13CA0_2_002A13CA
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0027F5630_2_0027F563
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002AB6CC0_2_002AB6CC
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002696C00_2_002696C0
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002677B00_2_002677B0
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002CF7FF0_2_002CF7FF
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002979C90_2_002979C9
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0027FA570_2_0027FA57
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_00269B600_2_00269B60
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_00267D190_2_00267D19
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0027FE6F0_2_0027FE6F
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_00289ED00_2_00289ED0
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_00267FA30_2_00267FA3
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_013511480_2_01351148
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A9B0432_2_00A9B043
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A832002_2_00A83200
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A83B702_2_00A83B70
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AA410F2_2_00AA410F
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A902A42_2_00A902A4
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A7E3B02_2_00A7E3B0
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AA038E2_2_00AA038E
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A906D92_2_00A906D9
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AA467F2_2_00AA467F
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00ADAACE2_2_00ADAACE
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AA4BEF2_2_00AA4BEF
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A9CCC12_2_00A9CCC1
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A76F072_2_00A76F07
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A7AF502_2_00A7AF50
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A9D1B92_2_00A9D1B9
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AD31BC2_2_00AD31BC
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A8B11F2_2_00A8B11F
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A9123A2_2_00A9123A
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AA724D2_2_00AA724D
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A793F02_2_00A793F0
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AB13CA2_2_00AB13CA
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A8F5632_2_00A8F563
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00ABB6CC2_2_00ABB6CC
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A796C02_2_00A796C0
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A777B02_2_00A777B0
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00ADF7FF2_2_00ADF7FF
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AA79C92_2_00AA79C9
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A8FA572_2_00A8FA57
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A79B602_2_00A79B60
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A77D192_2_00A77D19
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A99ED02_2_00A99ED0
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A8FE6F2_2_00A8FE6F
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A77FA32_2_00A77FA3
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_01A544F02_2_01A544F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_013641B83_2_013641B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01369B403_2_01369B40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01364A883_2_01364A88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0136CDC03_2_0136CDC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01363E703_2_01363E70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0136F4B93_2_0136F4B9
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 5_2_0132D2B85_2_0132D2B8
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: String function: 00A8EC2F appears 68 times
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: String function: 00A9F8A0 appears 35 times
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: String function: 00A96AC0 appears 42 times
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: String function: 0028F8A0 appears 35 times
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: String function: 00286AC0 appears 42 times
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: String function: 0027EC2F appears 68 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 12
                  Source: EKSTRE_1022.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 5.2.pteropod.exe.1030000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 5.2.pteropod.exe.1030000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 2.2.pteropod.exe.4130000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 2.2.pteropod.exe.4130000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000002.00000002.2085926396.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000005.00000002.2225418640.0000000001030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 2.2.pteropod.exe.4130000.1.raw.unpack, CMa60k.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.pteropod.exe.4130000.1.raw.unpack, CMa60k.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.pteropod.exe.4130000.1.raw.unpack, CMa60k.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.pteropod.exe.4130000.1.raw.unpack, CMa60k.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.pteropod.exe.4130000.1.raw.unpack, EgTglEucnUn.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.pteropod.exe.4130000.1.raw.unpack, EgTglEucnUn.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.pteropod.exe.4130000.1.raw.unpack, MmVR.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.pteropod.exe.4130000.1.raw.unpack, MmVR.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@11/10@1/1
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002ACE7A GetLastError,FormatMessageW,0_2_002ACE7A
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0029AB84 AdjustTokenPrivileges,CloseHandle,0_2_0029AB84
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0029B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0029B134
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AAAB84 AdjustTokenPrivileges,CloseHandle,2_2_00AAAB84
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AAB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_00AAB134
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002AE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_002AE1FD
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002A6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_002A6532
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002BC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_002BC18C
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0026406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_0026406B
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeFile created: C:\Users\user\AppData\Local\agelessJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess736
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeFile created: C:\Users\user\AppData\Local\Temp\aut4C87.tmpJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs"
                  Source: EKSTRE_1022.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: EKSTRE_1022.exeReversingLabs: Detection: 34%
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeFile read: C:\Users\user\Desktop\EKSTRE_1022.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Users\user\AppData\Local\ageless\pteropod.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ageless\pteropod.exe "C:\Users\user\AppData\Local\ageless\pteropod.exe"
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\ageless\pteropod.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 12
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Users\user\AppData\Local\ageless\pteropod.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ageless\pteropod.exe "C:\Users\user\AppData\Local\ageless\pteropod.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\ageless\pteropod.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: EKSTRE_1022.exeStatic file information: File size 1255936 > 1048576
                  Source: EKSTRE_1022.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: EKSTRE_1022.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: EKSTRE_1022.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: EKSTRE_1022.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: EKSTRE_1022.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: EKSTRE_1022.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: EKSTRE_1022.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wntdll.pdbUGP source: pteropod.exe, 00000002.00000003.2082031247.0000000004170000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000002.00000003.2083926282.0000000004360000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.2223531243.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.2223231909.0000000003A80000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: pteropod.exe, 00000002.00000003.2082031247.0000000004170000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000002.00000003.2083926282.0000000004360000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.2223531243.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.2223231909.0000000003A80000.00000004.00001000.00020000.00000000.sdmp
                  Source: EKSTRE_1022.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: EKSTRE_1022.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: EKSTRE_1022.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: EKSTRE_1022.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: EKSTRE_1022.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0027E01E LoadLibraryA,GetProcAddress,0_2_0027E01E
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_00286B05 push ecx; ret 0_2_00286B18
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A96B05 push ecx; ret 2_2_00A96B18
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_01A54897 push edi; ret 2_2_01A54898
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 5_2_0132D65F push edi; ret 5_2_0132D660
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeFile created: C:\Users\user\AppData\Local\ageless\pteropod.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbsJump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002C8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_002C8111
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0027EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0027EB42
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AD8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00AD8111
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A8EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00A8EB42
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0028123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0028123A
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeAPI/Special instruction interceptor: Address: 1A54114
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeAPI/Special instruction interceptor: Address: 132CEDC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2544Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7276Jump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeEvaded block: after key decisiongraph_0-93466
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeEvaded block: after key decision
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-94404
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeAPI coverage: 4.5 %
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeAPI coverage: 4.7 %
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002A6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_002A6CA9
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002A60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_002A60DD
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002A63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_002A63F9
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002AEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002AEB60
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002AF56F FindFirstFileW,FindClose,0_2_002AF56F
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002AF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_002AF5FA
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002B1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002B1B2F
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002B1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002B1C8A
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002B1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002B1F94
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AB6CA9 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00AB6CA9
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AB60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,2_2_00AB60DD
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AB63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,2_2_00AB63F9
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00ABEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00ABEB60
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00ABF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00ABF5FA
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00ABF56F FindFirstFileW,FindClose,2_2_00ABF56F
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AC1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00AC1B2F
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AC1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00AC1C8A
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AC1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00AC1F94
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0027DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0027DDC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99674Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99516Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99398Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99297Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99187Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99078Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98969Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96964Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96721Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96369Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96264Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96157Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96032Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95907Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95782Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95657Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95532Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95398Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95297Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95063Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94813Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94688Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94579Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94454Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94330Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94105Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93988Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93657Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: RegSvcs.exe, 00000003.00000002.4511121854.00000000064D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeAPI call chain: ExitProcess graph end nodegraph_0-93098
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeAPI call chain: ExitProcess graph end nodegraph_0-93576
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002B6AAF BlockInput,0_2_002B6AAF
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_00263D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00263D19
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_00293920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00293920
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0027E01E LoadLibraryA,GetProcAddress,0_2_0027E01E
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_01351038 mov eax, dword ptr fs:[00000030h]0_2_01351038
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0134F9A8 mov eax, dword ptr fs:[00000030h]0_2_0134F9A8
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_01350FD8 mov eax, dword ptr fs:[00000030h]0_2_01350FD8
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_01A54380 mov eax, dword ptr fs:[00000030h]2_2_01A54380
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_01A543E0 mov eax, dword ptr fs:[00000030h]2_2_01A543E0
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_01A52D50 mov eax, dword ptr fs:[00000030h]2_2_01A52D50
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 5_2_0132D1A8 mov eax, dword ptr fs:[00000030h]5_2_0132D1A8
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 5_2_0132BB18 mov eax, dword ptr fs:[00000030h]5_2_0132BB18
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 5_2_0132D148 mov eax, dword ptr fs:[00000030h]5_2_0132D148
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0029A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0029A66C
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002881AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002881AC
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_00288189 SetUnhandledExceptionFilter,0_2_00288189
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A981AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00A981AC
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00A98189 SetUnhandledExceptionFilter,2_2_00A98189
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Sample uses process hollowing technique
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 430000Jump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F08008Jump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7FB008Jump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0029B106 LogonUserW,0_2_0029B106
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_00263D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00263D19
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002A411C SendInput,keybd_event,0_2_002A411C
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002A74BB mouse_event,0_2_002A74BB
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ageless\pteropod.exe "C:\Users\user\AppData\Local\ageless\pteropod.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\ageless\pteropod.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0029A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0029A66C
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002A71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_002A71FA
                  Source: EKSTRE_1022.exe, pteropod.exeBinary or memory string: Shell_TrayWnd
                  Source: EKSTRE_1022.exe, pteropod.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002865C4 cpuid 0_2_002865C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002B091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_002B091D
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002DB340 GetUserNameW,0_2_002DB340
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_00291E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00291E8E
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_0027DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0027DDC0
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 5.2.pteropod.exe.1030000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.pteropod.exe.1030000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.pteropod.exe.4130000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.pteropod.exe.4130000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2085926396.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2225418640.0000000001030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4508762505.000000000322A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4507142862.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4508762505.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4508762505.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pteropod.exe PID: 5524, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2748, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: pteropod.exe PID: 320, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: pteropod.exeBinary or memory string: WIN_81
                  Source: pteropod.exeBinary or memory string: WIN_XP
                  Source: pteropod.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                  Source: pteropod.exeBinary or memory string: WIN_XPe
                  Source: pteropod.exeBinary or memory string: WIN_VISTA
                  Source: pteropod.exeBinary or memory string: WIN_7
                  Source: pteropod.exeBinary or memory string: WIN_8
                  Source: Yara matchFile source: 5.2.pteropod.exe.1030000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.pteropod.exe.1030000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.pteropod.exe.4130000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.pteropod.exe.4130000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2085926396.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2225418640.0000000001030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4507142862.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4508762505.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pteropod.exe PID: 5524, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2748, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: pteropod.exe PID: 320, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 5.2.pteropod.exe.1030000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.pteropod.exe.1030000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.pteropod.exe.4130000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.pteropod.exe.4130000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2085926396.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2225418640.0000000001030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4508762505.000000000322A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4507142862.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4508762505.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4508762505.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pteropod.exe PID: 5524, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2748, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: pteropod.exe PID: 320, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002B8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_002B8C4F
                  Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_002B923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_002B923B
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AC8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00AC8C4F
                  Source: C:\Users\user\AppData\Local\ageless\pteropod.exeCode function: 2_2_00AC923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00AC923B

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		2
                  Valid Accounts                  		121
                  Windows Management Instrumentation                  		111
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts3
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		221
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Shared Modules                  		2
                  Valid Accounts                  		2
                  Valid Accounts                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		3
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron2
                  Registry Run Keys / Startup Folder                  		21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS138
                  System Information Discovery                  		Distributed Component Object Model221
                  Input Capture                  		1
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script312
                  Process Injection                  		1
                  Masquerading                  		LSA Secrets351
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		11
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                  Registry Run Keys / Startup Folder                  		2
                  Valid Accounts                  		Cached Domain Credentials131
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items131
                  Virtualization/Sandbox Evasion                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                  Access Token Manipulation                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt312
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559971 Sample: EKSTRE_1022.exe Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 33 zqamcx.com 2->33 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 7 other signatures 2->57 9 EKSTRE_1022.exe 4 2->9         started        13 wscript.exe 1 2->13         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\pteropod.exe, PE32 9->29 dropped 67 Binary is likely a compiled AutoIt script file 9->67 15 pteropod.exe 2 9->15         started        69 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->69 19 pteropod.exe 1 13->19         started        signatures6 process7 file8 31 C:\Users\user\AppData\...\pteropod.vbs, data 15->31 dropped 37 Multi AV Scanner detection for dropped file 15->37 39 Binary is likely a compiled AutoIt script file 15->39 41 Machine Learning detection for dropped file 15->41 49 2 other signatures 15->49 21 RegSvcs.exe 2 15->21         started        43 Writes to foreign memory regions 19->43 45 Maps a DLL or memory area into another process 19->45 47 Sample uses process hollowing technique 19->47 25 RegSvcs.exe 19->25         started        signatures9 process10 dnsIp11 35 zqamcx.com 78.110.166.82, 49704, 49705, 587 UKSERVERS-ASUKDedicatedServersHostingandCo-Location United Kingdom 21->35 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->59 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->61 63 Tries to steal Mail credentials (via file / registry access) 21->63 65 3 other signatures 21->65 27 WerFault.exe 23 25->27         started        signatures12 process13

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  EKSTRE_1022.exe34%ReversingLabsWin32.Trojan.AutoitInject
                  EKSTRE_1022.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\ageless\pteropod.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\ageless\pteropod.exe34%ReversingLabsWin32.Trojan.AutoitInject

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://r11.i.lenc0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  zqamcx.com
                  		78.110.166.82
                  		truefalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://zqamcx.comRegSvcs.exe, 00000003.00000002.4508762505.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4508762505.0000000003208000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://account.dyn.com/pteropod.exe, 00000002.00000002.2085926396.0000000004130000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4507142862.0000000000402000.00000040.80000000.00040000.00000000.sdmp, pteropod.exe, 00000005.00000002.2225418640.0000000001030000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        http://r11.i.lencRegSvcs.exe, 00000003.00000002.4511121854.00000000064D0000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://r11.o.lencr.org0#RegSvcs.exe, 00000003.00000002.4508762505.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4508762505.0000000003208000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4511121854.00000000064D0000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://r11.i.lencr.org/0#RegSvcs.exe, 00000003.00000002.4508762505.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4508762505.0000000003208000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4511121854.00000000064D0000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://x1.c.lencr.org/0RegSvcs.exe, 00000003.00000002.4508762505.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4508762505.0000000003208000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4511121854.00000000064D0000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://x1.i.lencr.org/0RegSvcs.exe, 00000003.00000002.4508762505.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4508762505.0000000003208000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4511121854.00000000064D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                78.110.166.82
                                		zqamcx.comUnited Kingdom
                                		42831UKSERVERS-ASUKDedicatedServersHostingandCo-Locationfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1559971
                                Start date and time:2024-11-21 08:56:06 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 9m 56s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:13
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:EKSTRE_1022.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.expl.evad.winEXE@11/10@1/1
                                EGA Information:
                                • Successful, ratio: 75%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 60
                                • Number of non-executed functions: 295
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 52.168.117.173
                                • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target RegSvcs.exe, PID 2748 because it is empty
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • VT rate limit hit for: EKSTRE_1022.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                02:57:01API Interceptor11461904x Sleep call for process: RegSvcs.exe modified
                                02:57:51API Interceptor1x Sleep call for process: WerFault.exe modified
                                08:57:02AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                78.110.166.82COB756883.vbsGet hashmaliciousCobaltStrikeBrowse
                                • windowsupdatesolutions.com/ServerCOB.txt
                                Ingreso_SII_Abril_2021.cmdGet hashmaliciousUnknownBrowse
                                • www.emolcl.com/namaste/puma.php
                                Ingreso_SII_Abril_2021.cmdGet hashmaliciousUnknownBrowse
                                • www.emolcl.com/namaste/puma.php

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                zqamcx.com18112024_Dokman_1 Kas_m 2024- Avans_T24-2112184_dekont.exeGet hashmaliciousAgentTeslaBrowse
                                • 78.110.166.82
                                Musterino_94372478_Ekno_101_20241031410530_ekstre.exeGet hashmaliciousAgentTeslaBrowse
                                • 78.110.166.82
                                Halkbank_Ekstre_20241118_081142_787116.exeGet hashmaliciousAgentTeslaBrowse
                                • 78.110.166.82
                                PO NO170300999.exeGet hashmaliciousAgentTeslaBrowse
                                • 78.110.166.82
                                Musterino_94372478_Ekno_101_20241031410530_ekstre.exeGet hashmaliciousAgentTeslaBrowse
                                • 78.110.166.82
                                41570002689_20220814_05352297_HesapOzeti.exeGet hashmaliciousAgentTeslaBrowse
                                • 78.110.166.82
                                29.10.2024-29.10.2024.exeGet hashmaliciousAgentTeslaBrowse
                                • 78.110.166.82

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                UKSERVERS-ASUKDedicatedServersHostingandCo-LocationNew_Order_Inquiry.exeGet hashmaliciousAgentTeslaBrowse
                                • 78.110.166.82
                                18112024_Dokman_1 Kas_m 2024- Avans_T24-2112184_dekont.exeGet hashmaliciousAgentTeslaBrowse
                                • 78.110.166.82
                                Musterino_94372478_Ekno_101_20241031410530_ekstre.exeGet hashmaliciousAgentTeslaBrowse
                                • 78.110.166.82
                                Halkbank_Ekstre_20241118_081142_787116.exeGet hashmaliciousAgentTeslaBrowse
                                • 78.110.166.82
                                (#U0130TOSAM) 11 KASIM 2024 HAFTALIK EKONOM#U0130 B#U00dcLTEN#U0130.exeGet hashmaliciousAgentTeslaBrowse
                                • 78.110.166.82
                                PO NO170300999.exeGet hashmaliciousAgentTeslaBrowse
                                • 78.110.166.82
                                sora.mips.elfGet hashmaliciousMiraiBrowse
                                • 78.157.201.124
                                RKsVnThLLP.exeGet hashmaliciousNjratBrowse
                                • 94.46.207.10
                                Musterino_94372478_Ekno_101_20241031410530_ekstre.exeGet hashmaliciousAgentTeslaBrowse
                                • 78.110.166.82
                                New Order (2).exeGet hashmaliciousAgentTeslaBrowse
                                • 78.110.166.82

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_fd9f1425-13b6-4093-b395-f2ed7ed28e50\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.5813874072684719
                                Encrypted:false
                                SSDEEP:96:LhFG+uTWrYZsQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAcf/VXTZ:Fs+uTWrYZk0WbkQzuiFKZ24IO8bq
                                MD5:5E263E4DA37725078155632A6ED14C23
                                SHA1:3991C6B433F813BD5945C3C8895B6A29F7DEADF6
                                SHA-256:1DEE7DBA817312E73946E89362CF7285620C9910D3DBC080B4517E9D8F65C6FC
                                SHA-512:F87DB2B5C8CFF9518F0FA35D538790670D91EC4B76EBA7F06D3355B8819C5EE40AF498E0902E44981D2148559D6A14160FB267E76BD3B45D6108A57F01895131
                                Malicious:false
                                Reputation:low
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.6.4.9.4.3.6.5.0.9.8.0.9.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.6.4.9.4.4.0.8.8.3.6.0.8.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.9.f.1.4.2.5.-.1.3.b.6.-.4.0.9.3.-.b.3.9.5.-.f.2.e.d.7.e.d.2.8.e.5.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.3.2.6.8.6.4.f.-.4.d.7.a.-.4.9.9.a.-.a.a.b.f.-.c.9.f.d.f.d.f.4.0.2.8.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.e.0.-.0.0.0.1.-.0.0.1.4.-.8.8.5.7.-.7.1.f.a.e.a.3.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.1.9.6.9.7.7.1.b.2.f.0.2.2.f.9.a.8.6.d.7.7.a.c.4.d.4.d.2.3.9.b.e.c.d.f.0.8.d.0.7.!.R.e.g.S.v.c.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3D1.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8214
                                Entropy (8bit):3.6750295840821057
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJ2a6S6YrQ6dgmfU8px/89b68sfdY+m:R6lXJr6S6Y86dgmfUT6PfG
                                MD5:81B1E72242215D33C64CA768B3D4B0EA
                                SHA1:B93246105B32AD7E445CD9E1E7CE3F20B84C57A1
                                SHA-256:4E9400F34E0B56356E7F97BE9FF0B5BBEC176CD3E2314E7A72ABCF67E8245C9F
                                SHA-512:DA4D9F990D387553A592672E06E95D1E06679D9F13D14E7F023170DC33C30172739F031D7D068DE261039C11D6462381143351EB989BCFE74C364C37A78C6830
                                Malicious:false
                                Reputation:low
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.6.<./.P.i.d.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA401.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4572
                                Entropy (8bit):4.436339029500459
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zscJg77aI94jWpW8VYTPYm8M4JTHFv2+q87AdUm30wd:uIjfaI7mS7VaSJ8Om30wd
                                MD5:1D7275ADE8C2AEBD7F5D079568057575
                                SHA1:C759710DEF1A339F6A7B90F27F5212976D4A145D
                                SHA-256:8EC96B17AE7364B180E8102D0852A60DD6FCE9CE174CF87D6459BEDE649A67B0
                                SHA-512:5C2EC5703D03446EB05560DC9C5A6F8E47864191F0DC693BFB05C8AE0C2C6AFD16A1AC2BEE9DBFDD8D1B81F52A267800A03B817DAFEBE74FC6FD162CEF4ADC89
                                Malicious:false
                                Reputation:low
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="597540" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\Users\user\AppData\Local\Temp\WER9401.tmp.WERDataCollectionStatus.txt

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4736
                                Entropy (8bit):3.2401038615027127
                                Encrypted:false
                                SSDEEP:96:pwpIiYkXkkXfkuguW50Qm0QO0QgIm0QXE0Qu0QZEDguXH0xszeuzSzbxGQI5BmlD:pFle+u9BnoeyOkN0D
                                MD5:31DD840A61323B122D369F741FC12101
                                SHA1:23D6A276FAE29FD4FE9F6A591E2E16FA7A832118
                                SHA-256:6A9D5C078715985BBAA5169D17074BA9F553074CBFACD54E2081BDA42513A261
                                SHA-512:1333A5C9C61C66B1E9775840FDC6F4C30342F85591360CF62890A9CE768F0D055F59765AB0E227ABE25C249EF1194E4B74A9F5A4684570A7192FAB6B0D28E09D
                                Malicious:false
                                Reputation:low
                                Preview:......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .2.5.9.2. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .6.4.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .2.7.1.0.7.9.6. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

                                C:\Users\user\AppData\Local\Temp\aut4C87.tmp

                                Download File
                                Process:C:\Users\user\Desktop\EKSTRE_1022.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):145342
                                Entropy (8bit):7.888217487709383
                                Encrypted:false
                                SSDEEP:3072:gtiNpEE5lw62Qw6cCvi9bv/PGrDt3c8irSsg/EzrI4ibxiR:ret62Qwd9bn6xyrS5NjxG
                                MD5:4DBD38C07486D1CB9D5ACA1679952827
                                SHA1:2DFEFDAD441A53254C57856DF0BBA932C8C81311
                                SHA-256:901CCD905EF1DF04220B8DA90F676CE1D55D26330202AA95F272BFBF1D33C7AC
                                SHA-512:D6093659E59F4415D94E4395561A48102749FA078F44DC4B94C8CAB8315A24F16E2A2C0EF6DDFD47FBCED148CA097A2ACF9DF04033325B3446F8F78940F2A857
                                Malicious:false
                                Reputation:low
                                Preview:EA06.....[....ZiU....^o6.5.V' ..&o...T..P.;5`..r..Q...\..@.]|..........*..3.V'qI...8.Q.R...UL.E'.x.J.a.I+S..^.9..@.....j..*o>.^...Z...I..5.y.&....6...bsv.~:.P...5.^....&oR.....kQ*l.Z...R.r..f.J......)...$......X..s.MbU...E...~...4^.E...v.e.L. .].Q.....q0.R..`.....*....R.I..&.....8...?34..3......V.El.Y...Q..k..P.qG..>up...)X...*>=O..A..c....L......U....z..d.....?Y.nk.....y...t.\....!..i..../!.L.}....D.v....NAO.G....+...:|\.....t......C&.*5b[a..S]t......Wy......t?^..7..esH.B9.....}F....Q...w.Y....RH..kB.K#py.~oF.|&.. ...~....;C?..m.I.n...S ~->....Ll..G[7J..&@.......i..."..pN.8...P.8C.[1U....p..r.8D..3.V.../ry:.j@B...yf.N;.N.k...y3v.F".....{.M[.~....]ejC.....].r....o....{C.."3*.z{S.T..J..yy..0...JaP..*Ti.>.~.h}.~=....:..[..K42...m..N..A......L.X...e.......:...Z.;.UgR...M..OiS..Y..Dl.+M.M7...b.0..fu..sW...)..?..*.J..D.tL&..6BQm..fw....H.V'5(...I..fS..@.p.G(..r.0.S.J..Kt..f2...eM..T)`....Q.4...\..#......Mat.=^E..Gc..t.?..*.HU..W..&v;...9.O..x.I..P..

                                C:\Users\user\AppData\Local\Temp\aut5467.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\ageless\pteropod.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):145342
                                Entropy (8bit):7.888217487709383
                                Encrypted:false
                                SSDEEP:3072:gtiNpEE5lw62Qw6cCvi9bv/PGrDt3c8irSsg/EzrI4ibxiR:ret62Qwd9bn6xyrS5NjxG
                                MD5:4DBD38C07486D1CB9D5ACA1679952827
                                SHA1:2DFEFDAD441A53254C57856DF0BBA932C8C81311
                                SHA-256:901CCD905EF1DF04220B8DA90F676CE1D55D26330202AA95F272BFBF1D33C7AC
                                SHA-512:D6093659E59F4415D94E4395561A48102749FA078F44DC4B94C8CAB8315A24F16E2A2C0EF6DDFD47FBCED148CA097A2ACF9DF04033325B3446F8F78940F2A857
                                Malicious:false
                                Reputation:low
                                Preview:EA06.....[....ZiU....^o6.5.V' ..&o...T..P.;5`..r..Q...\..@.]|..........*..3.V'qI...8.Q.R...UL.E'.x.J.a.I+S..^.9..@.....j..*o>.^...Z...I..5.y.&....6...bsv.~:.P...5.^....&oR.....kQ*l.Z...R.r..f.J......)...$......X..s.MbU...E...~...4^.E...v.e.L. .].Q.....q0.R..`.....*....R.I..&.....8...?34..3......V.El.Y...Q..k..P.qG..>up...)X...*>=O..A..c....L......U....z..d.....?Y.nk.....y...t.\....!..i..../!.L.}....D.v....NAO.G....+...:|\.....t......C&.*5b[a..S]t......Wy......t?^..7..esH.B9.....}F....Q...w.Y....RH..kB.K#py.~oF.|&.. ...~....;C?..m.I.n...S ~->....Ll..G[7J..&@.......i..."..pN.8...P.8C.[1U....p..r.8D..3.V.../ry:.j@B...yf.N;.N.k...y3v.F".....{.M[.~....]ejC.....].r....o....{C.."3*.z{S.T..J..yy..0...JaP..*Ti.>.~.h}.~=....:..[..K42...m..N..A......L.X...e.......:...Z.;.UgR...M..OiS..Y..Dl.+M.M7...b.0..fu..sW...)..?..*.J..D.tL&..6BQm..fw....H.V'5(...I..fS..@.p.G(..r.0.S.J..Kt..f2...eM..T)`....Q.4...\..#......Mat.=^E..Gc..t.?..*.HU..W..&v;...9.O..x.I..P..

                                C:\Users\user\AppData\Local\Temp\aut8A0D.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\ageless\pteropod.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):145342
                                Entropy (8bit):7.888217487709383
                                Encrypted:false
                                SSDEEP:3072:gtiNpEE5lw62Qw6cCvi9bv/PGrDt3c8irSsg/EzrI4ibxiR:ret62Qwd9bn6xyrS5NjxG
                                MD5:4DBD38C07486D1CB9D5ACA1679952827
                                SHA1:2DFEFDAD441A53254C57856DF0BBA932C8C81311
                                SHA-256:901CCD905EF1DF04220B8DA90F676CE1D55D26330202AA95F272BFBF1D33C7AC
                                SHA-512:D6093659E59F4415D94E4395561A48102749FA078F44DC4B94C8CAB8315A24F16E2A2C0EF6DDFD47FBCED148CA097A2ACF9DF04033325B3446F8F78940F2A857
                                Malicious:false
                                Preview:EA06.....[....ZiU....^o6.5.V' ..&o...T..P.;5`..r..Q...\..@.]|..........*..3.V'qI...8.Q.R...UL.E'.x.J.a.I+S..^.9..@.....j..*o>.^...Z...I..5.y.&....6...bsv.~:.P...5.^....&oR.....kQ*l.Z...R.r..f.J......)...$......X..s.MbU...E...~...4^.E...v.e.L. .].Q.....q0.R..`.....*....R.I..&.....8...?34..3......V.El.Y...Q..k..P.qG..>up...)X...*>=O..A..c....L......U....z..d.....?Y.nk.....y...t.\....!..i..../!.L.}....D.v....NAO.G....+...:|\.....t......C&.*5b[a..S]t......Wy......t?^..7..esH.B9.....}F....Q...w.Y....RH..kB.K#py.~oF.|&.. ...~....;C?..m.I.n...S ~->....Ll..G[7J..&@.......i..."..pN.8...P.8C.[1U....p..r.8D..3.V.../ry:.j@B...yf.N;.N.k...y3v.F".....{.M[.~....]ejC.....].r....o....{C.."3*.z{S.T..J..yy..0...JaP..*Ti.>.~.h}.~=....:..[..K42...m..N..A......L.X...e.......:...Z.;.UgR...M..OiS..Y..Dl.+M.M7...b.0..fu..sW...)..?..*.J..D.tL&..6BQm..fw....H.V'5(...I..fS..@.p.G(..r.0.S.J..Kt..f2...eM..T)`....Q.4...\..#......Mat.=^E..Gc..t.?..*.HU..W..&v;...9.O..x.I..P..

                                C:\Users\user\AppData\Local\Temp\selectee

                                Download File
                                Process:C:\Users\user\Desktop\EKSTRE_1022.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):247808
                                Entropy (8bit):6.515738976337021
                                Encrypted:false
                                SSDEEP:6144:KebiXJyuGxVrAOzRraC5BYQ8H29Pe6rn0TyFUr91rxsyOZADKPzgZpKO:KebiXJyuGxdAOzpvj8HMPe670TrhlqqZ
                                MD5:3DDDDCEB96C78C92ED9D6B4869652A73
                                SHA1:E34FDFC444F1D16742D08B96A0DD29951E5C2392
                                SHA-256:4E5599DF8F1C0A60887C9DF6A97C6B2BE8A0F7EE30CA89D6E899EDE38DB3BD73
                                SHA-512:89063CB1EEB167BD1D3C57B92CD88AD09C63B837CF8D7A0F450C818F86E7A2F9EEAC3C207A307DA3341B30E742431DCEA67463439A78D2A37550D9C7D6CF5A01
                                Malicious:false
                                Preview:.o.X:V4UM7VE..I5.X9V4UI7.E22I5TX9V4UI7VE22I5TX9V4UI7VE22I5TX.V4UG(.K2.@.u.8..t._?6.B;Z3*X;.6(Y8*F.+Pt*L8.<'...a.$Z0=.[9_m7VE22I5..9VxTJ7>rzWI5TX9V4U.7TD93B5T.:V4]I7VE22..WX9v4UI.UE22.5Tx9V4WI7RE22I5TX=V4UI7VE2.M5TZ9V4UI7TEr.I5DX9F4UI7FE2"I5TX9V$UI7VE22I5TX..7U.7VE2.J5.]9V4UI7VE22I5TX9V4UI7RE>2I5TX9V4UI7VE22I5TX9V4UI7VE22I5TX9V4UI7VE22I5TX9V4UI.VE:2I5TX9V4UI7^e22.5TX9V4UI7VE.F,M X9V0.J7Ve22I.WX9T4UI7VE22I5TX9V.UIWx7A@*5TX.S4UI.UE24I5T.:V4UI7VE22I5TXyV4.gE3)]QI5XX9V4UM7VG22I.WX9V4UI7VE22I5.X9.4UI7VE22I5TX9V4U..UE22I5.X9V6UL7..02E.UX:V4UH7VC22I5TX9V4UI7VE22I5TX9V4UI7VE22I5TX9V4UI7VE22I5TX$......{zOw?6_.p.2.4..!..L..6.!.2#.ytD.... O..E.=y..0...B.M7KH.....5BFX-aEf:5.$....w1ry.3:.C..7..+4......p.....JFl...,..W:$.75B^,..9_7F<.5.D22I5.......?=yhd6[F.DL.... 1c...JUI72E22;5TXXV4U.7VE]2I5:X9VJUI7(E22.5TXyV4U~7VE.2I59X9V.UI7(E22.H[W...<:..E22I5a..f.8.......nH.J.+....V.~..<..Z!.!.~u..Z..=x.^e=C.|.2U^=S6RM4Zx<y..y;R0PK0RF>.G~...w.s..o..8..j,.)I7VE22.5T.9V4..7.E22.5.X..4UI..E.2.5..V

                                C:\Users\user\AppData\Local\ageless\pteropod.exe

                                Download File
                                Process:C:\Users\user\Desktop\EKSTRE_1022.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):1255936
                                Entropy (8bit):6.637056239878405
                                Encrypted:false
                                SSDEEP:24576:Qtb20pkaCqT5TBWgNQ7akJjJuEnxoGYgzF6A:ZVg5tQ7akJjTnth5
                                MD5:3503285C5DCB5DDF134D7617366CF050
                                SHA1:277773B0E3C13989A52CA37963F7E342FA1A0BE8
                                SHA-256:077DC59CC8A2B17C1C2F17F0620368FE3B252C881CDB600AEE54662D2699351C
                                SHA-512:DBC962EF078124D349AE90030462F601F6BE5410EDB2413DAE1A158DEC8793CA1454A000551CCDF8CF5D6839EBF91042579F16D3638FADE66FCB05B9D9432F46
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 34%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L...2.>g.........."..........p......t_............@.................................p.....@...@.......@......................p..|....@..........................Ll..................................0'..@...............`............................text...O........................... ..`.rdata..B...........................@..@.data...T........b..................@....rsrc........@......................@..@.reloc..t...........................@..B................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs

                                Download File
                                Process:C:\Users\user\AppData\Local\ageless\pteropod.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):274
                                Entropy (8bit):3.390012493452078
                                Encrypted:false
                                SSDEEP:6:DMM8lfm3OOQdUfclo5ZsUEZ+lX1ElCLlw6E7nriIM8lfQVn:DsO+vNlzQ1Eli9EDmA2n
                                MD5:9C916B8682DD3F696E3023287C6BF207
                                SHA1:8942A1637FD67C094401C6E34EACA9C3E414ABCD
                                SHA-256:F5B5DEE05F9833B2467CA536387560078B4DD1542297C79B764D5A33B95F6085
                                SHA-512:875A7723867D9834A0D965698C3FC2D8C72EE2B7D16A7990D0C67EAC0EAE50E4346E212C5A53537D6D2EAC2880B18D1987E37F947D8445793B386C7019A549BB
                                Malicious:true
                                Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.a.g.e.l.e.s.s.\.p.t.e.r.o.p.o.d...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):6.637056239878405
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:EKSTRE_1022.exe
                                File size:1'255'936 bytes
                                MD5:3503285c5dcb5ddf134d7617366cf050
                                SHA1:277773b0e3c13989a52ca37963f7e342fa1a0be8
                                SHA256:077dc59cc8a2b17c1c2f17f0620368fe3b252c881cdb600aee54662d2699351c
                                SHA512:dbc962ef078124d349ae90030462f601f6be5410edb2413dae1a158dec8793ca1454a000551ccdf8cf5d6839ebf91042579f16d3638fade66fcb05b9d9432f46
                                SSDEEP:24576:Qtb20pkaCqT5TBWgNQ7akJjJuEnxoGYgzF6A:ZVg5tQ7akJjTnth5
                                TLSH:D445BF1363DD83A5D77212737A3677556E7B7C2946B0B85B2F98383DEA30122121EA33
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                File Icon

                                Icon Hash:98e2a3b29b9ba181

                                Static PE Info

                                General

                                Entrypoint:0x425f74
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x673EA132 [Thu Nov 21 02:55:46 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                Entrypoint Preview

                                Instruction
                                call 00007FCCC08DC88Fh
                                jmp 00007FCCC08CF8A4h
                                int3
                                int3
                                push edi
                                push esi
                                mov esi, dword ptr [esp+10h]
                                mov ecx, dword ptr [esp+14h]
                                mov edi, dword ptr [esp+0Ch]
                                mov eax, ecx
                                mov edx, ecx
                                add eax, esi
                                cmp edi, esi
                                jbe 00007FCCC08CFA2Ah
                                cmp edi, eax
                                jc 00007FCCC08CFD8Eh
                                bt dword ptr [004C0158h], 01h
                                jnc 00007FCCC08CFA29h
                                rep movsb
                                jmp 00007FCCC08CFD3Ch
                                cmp ecx, 00000080h
                                jc 00007FCCC08CFBF4h
                                mov eax, edi
                                xor eax, esi
                                test eax, 0000000Fh
                                jne 00007FCCC08CFA30h
                                bt dword ptr [004BA370h], 01h
                                jc 00007FCCC08CFF00h
                                bt dword ptr [004C0158h], 00000000h
                                jnc 00007FCCC08CFBCDh
                                test edi, 00000003h
                                jne 00007FCCC08CFBDEh
                                test esi, 00000003h
                                jne 00007FCCC08CFBBDh
                                bt edi, 02h
                                jnc 00007FCCC08CFA2Fh
                                mov eax, dword ptr [esi]
                                sub ecx, 04h
                                lea esi, dword ptr [esi+04h]
                                mov dword ptr [edi], eax
                                lea edi, dword ptr [edi+04h]
                                bt edi, 03h
                                jnc 00007FCCC08CFA33h
                                movq xmm1, qword ptr [esi]
                                sub ecx, 08h
                                lea esi, dword ptr [esi+08h]
                                movq qword ptr [edi], xmm1
                                lea edi, dword ptr [edi+08h]
                                test esi, 00000007h
                                je 00007FCCC08CFA85h
                                bt esi, 03h
                                jnc 00007FCCC08CFAD8h
                                movdqa xmm1, dqword ptr [esi+00h]

                                Rich Headers

                                Programming Language:
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [ASM] VS2012 UPD4 build 61030
                                • [RES] VS2012 UPD4 build 61030
                                • [LNK] VS2012 UPD4 build 61030

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x69980.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x12e0000x6c4c.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0xc40000x699800x69a003736ec2c68e523dc6bab028679e4252fFalse0.5616424741124261data6.112357820361566IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x12e0000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0xc44580x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                RT_ICON0xc45800x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                RT_ICON0xc46a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                RT_ICON0xc47d00x33428Device independent bitmap graphic, 198 x 512 x 32, image size 202752, resolution 7874 x 7874 px/mEnglishGreat Britain0.13495903981710802
                                RT_MENU0xf7bf80x50dataEnglishGreat Britain0.9
                                RT_STRING0xf7c480x594dataEnglishGreat Britain0.3333333333333333
                                RT_STRING0xf81dc0x68adataEnglishGreat Britain0.2747909199522103
                                RT_STRING0xf88680x490dataEnglishGreat Britain0.3715753424657534
                                RT_STRING0xf8cf80x5fcdataEnglishGreat Britain0.3087467362924282
                                RT_STRING0xf92f40x65cdataEnglishGreat Britain0.34336609336609336
                                RT_STRING0xf99500x466dataEnglishGreat Britain0.3605683836589698
                                RT_STRING0xf9db80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                RT_RCDATA0xf9f100x33593data1.0003375760140356
                                RT_GROUP_ICON0x12d4a40x14dataEnglishGreat Britain1.25
                                RT_GROUP_ICON0x12d4b80x14dataEnglishGreat Britain1.25
                                RT_GROUP_ICON0x12d4cc0x14dataEnglishGreat Britain1.15
                                RT_GROUP_ICON0x12d4e00x14dataEnglishGreat Britain1.25
                                RT_VERSION0x12d4f40xdcdataEnglishGreat Britain0.6181818181818182
                                RT_MANIFEST0x12d5d00x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                Imports

                                DLLImport
                                WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                PSAPI.DLLGetProcessMemoryInfo
                                IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                UxTheme.dllIsThemeActive
                                KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishGreat Britain

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 21, 2024 08:57:03.560831070 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:03.680478096 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:03.680579901 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:05.011286020 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:05.012209892 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:05.131757021 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:05.416438103 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:05.425611019 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:05.545104027 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:05.833590031 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:05.840373039 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:05.960691929 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:06.258843899 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:06.258979082 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:06.258999109 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:06.259061098 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:06.476489067 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:06.596148968 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:06.881803989 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:06.928384066 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:06.952786922 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:07.072320938 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:07.357320070 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:07.358500004 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:07.477993965 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:07.763276100 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:07.764559031 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:07.884176970 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:08.174160957 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:08.174491882 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:08.294066906 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:08.578965902 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:08.579433918 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:08.699027061 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:08.991970062 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:08.996596098 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:09.116219997 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:09.403477907 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:09.404191971 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:09.404275894 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:09.404275894 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:09.404308081 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:09.524144888 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:09.524159908 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:09.524173021 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:09.524184942 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:09.922570944 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:09.975276947 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:09.997812033 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:10.117388010 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:10.403734922 CET5874970478.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:10.408787012 CET49704587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:10.409825087 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:10.529495955 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:10.529619932 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:11.772381067 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:11.776180029 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:11.895639896 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:12.171478987 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:12.171668053 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:12.292223930 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:12.571471930 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:12.572099924 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:12.691683054 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:12.976449013 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:12.976494074 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:12.976511002 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:12.976586103 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:12.978043079 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:13.097573042 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:13.373969078 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:13.375494957 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:13.495421886 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:13.773011923 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:13.773304939 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:13.892796993 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:14.168838978 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:14.169188023 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:14.288866043 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:14.569742918 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:14.570208073 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:14.689757109 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:14.965190887 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:14.965511084 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:15.085155010 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:15.368796110 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:15.369028091 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:15.488761902 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:15.772895098 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:15.782433033 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:15.782516003 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:15.782537937 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:15.782588005 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:15.782633066 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:15.782685995 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:15.782712936 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:15.782736063 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:15.782763004 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:15.782787085 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:57:15.902450085 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:15.902483940 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:15.902498960 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:15.902513027 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:15.902537107 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:15.902569056 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:15.902632952 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:15.902647018 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:15.902672052 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:15.902683020 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:16.298868895 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:57:16.350255966 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:58:43.241259098 CET49705587192.168.2.578.110.166.82
                                Nov 21, 2024 08:58:43.360843897 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:58:43.637650967 CET5874970578.110.166.82192.168.2.5
                                Nov 21, 2024 08:58:43.638391018 CET49705587192.168.2.578.110.166.82

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 21, 2024 08:57:03.223776102 CET6063953192.168.2.51.1.1.1
                                Nov 21, 2024 08:57:03.513932943 CET53606391.1.1.1192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Nov 21, 2024 08:57:03.223776102 CET192.168.2.51.1.1.10x1759Standard query (0)zqamcx.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Nov 21, 2024 08:57:03.513932943 CET1.1.1.1192.168.2.50x1759No error (0)zqamcx.com78.110.166.82A (IP address)IN (0x0001)false

                                SMTP Packets

                                TimestampSource PortDest PortSource IPDest IPCommands
                                Nov 21, 2024 08:57:05.011286020 CET5874970478.110.166.82192.168.2.5220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Thu, 21 Nov 2024 07:57:04 +0000
                                220-We do not authorize the use of this system to transport unsolicited,
                                220 and/or bulk e-mail.
                                Nov 21, 2024 08:57:05.012209892 CET49704587192.168.2.578.110.166.82EHLO 473627
                                Nov 21, 2024 08:57:05.416438103 CET5874970478.110.166.82192.168.2.5250-cphost14.qhoster.net Hello 473627 [8.46.123.75]
                                250-SIZE 52428800
                                250-8BITMIME
                                250-PIPELINING
                                250-PIPECONNECT
                                250-STARTTLS
                                250 HELP
                                Nov 21, 2024 08:57:05.425611019 CET49704587192.168.2.578.110.166.82STARTTLS
                                Nov 21, 2024 08:57:05.833590031 CET5874970478.110.166.82192.168.2.5220 TLS go ahead
                                Nov 21, 2024 08:57:11.772381067 CET5874970578.110.166.82192.168.2.5220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Thu, 21 Nov 2024 07:57:11 +0000
                                220-We do not authorize the use of this system to transport unsolicited,
                                220 and/or bulk e-mail.
                                Nov 21, 2024 08:57:11.776180029 CET49705587192.168.2.578.110.166.82EHLO 473627
                                Nov 21, 2024 08:57:12.171478987 CET5874970578.110.166.82192.168.2.5250-cphost14.qhoster.net Hello 473627 [8.46.123.75]
                                250-SIZE 52428800
                                250-8BITMIME
                                250-PIPELINING
                                250-PIPECONNECT
                                250-STARTTLS
                                250 HELP
                                Nov 21, 2024 08:57:12.171668053 CET49705587192.168.2.578.110.166.82STARTTLS
                                Nov 21, 2024 08:57:12.571471930 CET5874970578.110.166.82192.168.2.5220 TLS go ahead

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:02:56:57
                                Start date:21/11/2024
                                Path:C:\Users\user\Desktop\EKSTRE_1022.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\EKSTRE_1022.exe"
                                Imagebase:0x260000
                                File size:1'255'936 bytes
                                MD5 hash:3503285C5DCB5DDF134D7617366CF050
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:2
                                Start time:02:56:58
                                Start date:21/11/2024
                                Path:C:\Users\user\AppData\Local\ageless\pteropod.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\EKSTRE_1022.exe"
                                Imagebase:0xa70000
                                File size:1'255'936 bytes
                                MD5 hash:3503285C5DCB5DDF134D7617366CF050
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2085926396.0000000004130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2085926396.0000000004130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.2085926396.0000000004130000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 34%, ReversingLabs
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:3
                                Start time:02:57:00
                                Start date:21/11/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\EKSTRE_1022.exe"
                                Imagebase:0xca0000
                                File size:45'984 bytes
                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4508762505.000000000322A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4507142862.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4507142862.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4508762505.0000000003200000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4508762505.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4508762505.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:4
                                Start time:02:57:11
                                Start date:21/11/2024
                                Path:C:\Windows\System32\wscript.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs"
                                Imagebase:0x7ff7f0150000
                                File size:170'496 bytes
                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:02:57:12
                                Start date:21/11/2024
                                Path:C:\Users\user\AppData\Local\ageless\pteropod.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\ageless\pteropod.exe"
                                Imagebase:0xa70000
                                File size:1'255'936 bytes
                                MD5 hash:3503285C5DCB5DDF134D7617366CF050
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2225418640.0000000001030000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2225418640.0000000001030000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000005.00000002.2225418640.0000000001030000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:7
                                Start time:02:57:14
                                Start date:21/11/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Users\user\AppData\Local\ageless\pteropod.exe"
                                Imagebase:0x430000
                                File size:45'984 bytes
                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:10
                                Start time:02:57:16
                                Start date:21/11/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 12
                                Imagebase:0xd0000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:3.8%
                                  Dynamic/Decrypted Code Coverage:0.4%
                                  Signature Coverage:7.5%
                                  Total number of Nodes:2000
                                  Total number of Limit Nodes:51
                                  execution_graph 92879 2d9bec 92883 270ae0 Mailbox ___crtGetEnvironmentStringsW 92879->92883 92880 26ffe1 Mailbox 92882 271526 Mailbox 93059 2acc5c 86 API calls 4 library calls 92882->93059 92883->92880 92883->92882 92912 26fec8 92883->92912 92915 2da706 92883->92915 92917 27f4ea 48 API calls 92883->92917 92918 2997ed InterlockedDecrement 92883->92918 92922 26fe30 92883->92922 92951 2c0d09 92883->92951 92954 2c0d1d 92883->92954 92957 2b6ff0 92883->92957 92966 2bf0ac 92883->92966 92998 2aa6ef 92883->92998 93004 26ce19 92883->93004 93010 2be822 92883->93010 93052 2bef61 82 API calls 2 library calls 92883->93052 92886 27f4ea 48 API calls 92886->92912 92887 270509 93062 2acc5c 86 API calls 4 library calls 92887->93062 92888 27146e 92895 266eed 48 API calls 92888->92895 92891 271473 93061 2acc5c 86 API calls 4 library calls 92891->93061 92893 2da246 93053 266eed 92893->93053 92895->92880 92896 2da922 92900 266eed 48 API calls 92900->92912 92901 2da873 92902 2da30e 92902->92880 93057 2997ed InterlockedDecrement 92902->93057 92903 2997ed InterlockedDecrement 92903->92912 92904 26d7f7 48 API calls 92904->92912 92906 280f0a 52 API calls __cinit 92906->92912 92908 2da973 93063 2acc5c 86 API calls 4 library calls 92908->93063 92910 2da982 92911 2715b5 93060 2acc5c 86 API calls 4 library calls 92911->93060 92912->92880 92912->92886 92912->92887 92912->92888 92912->92891 92912->92893 92912->92900 92912->92902 92912->92903 92912->92904 92912->92906 92912->92908 92912->92911 93050 271820 335 API calls 2 library calls 92912->93050 93051 271d10 59 API calls Mailbox 92912->93051 93058 2acc5c 86 API calls 4 library calls 92915->93058 92917->92883 92918->92883 92923 26fe50 92922->92923 92949 26fe7e 92922->92949 93064 27f4ea 92923->93064 92925 271473 93077 2acc5c 86 API calls 4 library calls 92925->93077 92926 27146e 92927 266eed 48 API calls 92926->92927 92947 26ffe1 92927->92947 92928 2997ed InterlockedDecrement 92928->92949 92931 266eed 48 API calls 92931->92949 92932 27f4ea 48 API calls 92932->92949 92933 280f0a 52 API calls __cinit 92933->92949 92935 2da246 92939 266eed 48 API calls 92935->92939 92936 270509 93078 2acc5c 86 API calls 4 library calls 92936->93078 92937 2da922 92937->92883 92939->92947 92941 2da873 92941->92883 92942 26d7f7 48 API calls 92942->92949 92943 2da30e 92943->92947 93075 2997ed InterlockedDecrement 92943->93075 92945 2da973 93079 2acc5c 86 API calls 4 library calls 92945->93079 92947->92883 92948 2da982 92949->92925 92949->92926 92949->92928 92949->92931 92949->92932 92949->92933 92949->92935 92949->92936 92949->92942 92949->92943 92949->92945 92949->92947 92950 2715b5 92949->92950 93073 271820 335 API calls 2 library calls 92949->93073 93074 271d10 59 API calls Mailbox 92949->93074 93076 2acc5c 86 API calls 4 library calls 92950->93076 93102 2bf8ae 92951->93102 92953 2c0d19 92953->92883 92955 2bf8ae 129 API calls 92954->92955 92956 2c0d2d 92955->92956 92956->92883 92958 26936c 81 API calls 92957->92958 92959 2b702a 92958->92959 93289 26b470 92959->93289 92961 2b703a 92962 26fe30 335 API calls 92961->92962 92963 2b705f 92961->92963 92962->92963 92965 2b7063 92963->92965 93317 26cdb9 48 API calls 92963->93317 92965->92883 92967 26d7f7 48 API calls 92966->92967 92968 2bf0c0 92967->92968 92969 26d7f7 48 API calls 92968->92969 92970 2bf0c8 92969->92970 92971 26d7f7 48 API calls 92970->92971 92972 2bf0d0 92971->92972 92973 26936c 81 API calls 92972->92973 92987 2bf0de 92973->92987 92974 266a63 48 API calls 92974->92987 92975 2bf2cc 92976 2bf2f9 Mailbox 92975->92976 93377 266b68 48 API calls 92975->93377 92976->92883 92977 2bf2b3 93358 26518c 92977->93358 92979 2bf2ce 92984 26518c 48 API calls 92979->92984 92980 266eed 48 API calls 92980->92987 92983 26c799 48 API calls 92983->92987 92986 2bf2dd 92984->92986 92989 26510d 48 API calls 92986->92989 92987->92974 92987->92975 92987->92976 92987->92977 92987->92979 92987->92980 92987->92983 92988 26bdfa 48 API calls 92987->92988 92990 26bdfa 48 API calls 92987->92990 92995 26936c 81 API calls 92987->92995 92996 26518c 48 API calls 92987->92996 92997 26510d 48 API calls 92987->92997 92991 2bf175 CharUpperBuffW 92988->92991 92989->92975 92992 2bf23a CharUpperBuffW 92990->92992 93347 26d645 92991->93347 93357 27d922 55 API calls 2 library calls 92992->93357 92995->92987 92996->92987 92997->92987 92999 2aa6fb 92998->92999 93000 27f4ea 48 API calls 92999->93000 93002 2aa709 93000->93002 93001 2aa717 93001->92883 93002->93001 93003 26d7f7 48 API calls 93002->93003 93003->93001 93005 26ce28 __wsetenvp 93004->93005 93006 27ee75 48 API calls 93005->93006 93007 26ce50 ___crtGetEnvironmentStringsW 93006->93007 93008 27f4ea 48 API calls 93007->93008 93009 26ce66 93008->93009 93009->92883 93011 2be868 93010->93011 93012 2be84e 93010->93012 93402 2bccdc 48 API calls 93011->93402 93401 2acc5c 86 API calls 4 library calls 93012->93401 93015 2be871 93016 26fe30 334 API calls 93015->93016 93017 2be8cf 93016->93017 93018 2be96a 93017->93018 93019 2be916 93017->93019 93049 2be860 Mailbox 93017->93049 93020 2be978 93018->93020 93023 2be9c7 93018->93023 93403 2a9b72 48 API calls 93019->93403 93421 2aa69d 48 API calls 93020->93421 93022 2be949 93404 2745e0 93022->93404 93027 26936c 81 API calls 93023->93027 93023->93049 93025 2be99b 93422 26bc74 48 API calls 93025->93422 93029 2be9e1 93027->93029 93031 26bdfa 48 API calls 93029->93031 93030 2be9a3 Mailbox 93423 273200 93030->93423 93032 2bea05 CharUpperBuffW 93031->93032 93033 2bea1f 93032->93033 93035 2bea72 93033->93035 93036 2bea26 93033->93036 93037 26936c 81 API calls 93035->93037 93449 2a9b72 48 API calls 93036->93449 93038 2bea7a 93037->93038 93450 261caa 49 API calls 93038->93450 93041 2bea54 93042 2745e0 334 API calls 93041->93042 93042->93049 93043 2bea84 93044 26936c 81 API calls 93043->93044 93043->93049 93045 2bea9f 93044->93045 93451 26bc74 48 API calls 93045->93451 93047 2beaaf 93048 273200 334 API calls 93047->93048 93048->93049 93049->92883 93050->92912 93051->92912 93052->92883 93054 266f00 93053->93054 93055 266ef8 93053->93055 93054->92880 94723 26dd47 48 API calls ___crtGetEnvironmentStringsW 93055->94723 93057->92880 93058->92882 93059->92880 93060->92880 93061->92901 93062->92896 93063->92910 93067 27f4f2 __calloc_impl 93064->93067 93066 27f50c 93066->92949 93067->93066 93068 27f50e std::exception::exception 93067->93068 93080 28395c 93067->93080 93094 286805 RaiseException 93068->93094 93070 27f538 93095 28673b 47 API calls _free 93070->93095 93072 27f54a 93072->92949 93073->92949 93074->92949 93075->92947 93076->92947 93077->92941 93078->92937 93079->92948 93081 2839d7 __calloc_impl 93080->93081 93083 283968 __calloc_impl 93080->93083 93101 287c0e 47 API calls __getptd_noexit 93081->93101 93082 283973 93082->93083 93096 2881c2 47 API calls 2 library calls 93082->93096 93097 28821f 47 API calls 8 library calls 93082->93097 93098 281145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93082->93098 93083->93082 93086 28399b RtlAllocateHeap 93083->93086 93089 2839c3 93083->93089 93092 2839c1 93083->93092 93086->93083 93087 2839cf 93086->93087 93087->93067 93099 287c0e 47 API calls __getptd_noexit 93089->93099 93100 287c0e 47 API calls __getptd_noexit 93092->93100 93094->93070 93095->93072 93096->93082 93097->93082 93099->93092 93100->93087 93101->93087 93138 26936c 93102->93138 93104 2bf8ea 93110 2bf92c Mailbox 93104->93110 93158 2c0567 93104->93158 93106 2bf984 Mailbox 93107 2bfb8b 93106->93107 93106->93110 93114 26936c 81 API calls 93106->93114 93229 2c29e8 48 API calls ___crtGetEnvironmentStringsW 93106->93229 93230 2bfda5 60 API calls 2 library calls 93106->93230 93108 2bfcfa 93107->93108 93109 2bfb95 93107->93109 93233 2c0688 89 API calls Mailbox 93108->93233 93171 2bf70a 93109->93171 93110->92953 93113 2bfd07 93113->93109 93115 2bfd13 93113->93115 93114->93106 93115->93110 93120 2bfbc9 93185 27ed18 93120->93185 93123 2bfbfd 93189 27c050 93123->93189 93124 2bfbe3 93231 2acc5c 86 API calls 4 library calls 93124->93231 93127 2bfc14 93129 271b90 48 API calls 93127->93129 93137 2bfc3e 93127->93137 93128 2bfbee GetCurrentProcess TerminateProcess 93128->93123 93131 2bfc2d 93129->93131 93130 2bfd65 93130->93110 93134 2bfd7e FreeLibrary 93130->93134 93132 2c040f 105 API calls 93131->93132 93132->93137 93134->93110 93137->93130 93200 271b90 93137->93200 93216 2c040f 93137->93216 93232 26dcae 50 API calls Mailbox 93137->93232 93139 269384 93138->93139 93156 269380 93138->93156 93140 2d4cbd __i64tow 93139->93140 93141 2d4bbf 93139->93141 93142 269398 93139->93142 93150 2693b0 __itow Mailbox _wcscpy 93139->93150 93143 2d4bc8 93141->93143 93144 2d4ca5 93141->93144 93234 28172b 80 API calls 3 library calls 93142->93234 93149 2d4be7 93143->93149 93143->93150 93235 28172b 80 API calls 3 library calls 93144->93235 93147 27f4ea 48 API calls 93148 2693ba 93147->93148 93152 26ce19 48 API calls 93148->93152 93148->93156 93151 27f4ea 48 API calls 93149->93151 93150->93147 93154 2d4c04 93151->93154 93152->93156 93153 27f4ea 48 API calls 93155 2d4c2a 93153->93155 93154->93153 93155->93156 93157 26ce19 48 API calls 93155->93157 93156->93104 93157->93156 93236 26bdfa 93158->93236 93160 2c0582 CharLowerBuffW 93242 2a1f11 93160->93242 93167 2c05d2 93255 26b18b 93167->93255 93169 2c05de Mailbox 93170 2c061a Mailbox 93169->93170 93259 2bfda5 60 API calls 2 library calls 93169->93259 93170->93106 93172 2bf77a 93171->93172 93173 2bf725 93171->93173 93177 2c0828 93172->93177 93174 27f4ea 48 API calls 93173->93174 93176 2bf747 93174->93176 93175 27f4ea 48 API calls 93175->93176 93176->93172 93176->93175 93178 2c0a53 Mailbox 93177->93178 93184 2c084b _strcat _wcscpy __wsetenvp 93177->93184 93178->93120 93179 26d286 48 API calls 93179->93184 93180 26cf93 58 API calls 93180->93184 93181 26936c 81 API calls 93181->93184 93182 28395c 47 API calls _W_store_winword 93182->93184 93184->93178 93184->93179 93184->93180 93184->93181 93184->93182 93273 2a8035 50 API calls __wsetenvp 93184->93273 93187 27ed2d 93185->93187 93186 27edc5 VirtualProtect 93188 27ed93 93186->93188 93187->93186 93187->93188 93188->93123 93188->93124 93190 27c064 93189->93190 93192 27c069 Mailbox 93189->93192 93274 27c1af 48 API calls 93190->93274 93198 27c077 93192->93198 93275 27c15c 48 API calls 93192->93275 93194 27f4ea 48 API calls 93196 27c108 93194->93196 93195 27c152 93195->93127 93197 27f4ea 48 API calls 93196->93197 93199 27c113 93197->93199 93198->93194 93198->93195 93199->93127 93201 271cf6 93200->93201 93204 271ba2 93200->93204 93201->93137 93202 271bae 93210 271bb9 93202->93210 93277 27c15c 48 API calls 93202->93277 93204->93202 93205 27f4ea 48 API calls 93204->93205 93206 2d49c4 93205->93206 93207 27f4ea 48 API calls 93206->93207 93215 2d49cf 93207->93215 93208 271c5d 93208->93137 93209 27f4ea 48 API calls 93211 271c9f 93209->93211 93210->93208 93210->93209 93212 271cb2 93211->93212 93276 262925 48 API calls 93211->93276 93212->93137 93214 27f4ea 48 API calls 93214->93215 93215->93202 93215->93214 93217 2c0427 93216->93217 93222 2c0443 93216->93222 93218 2c042e 93217->93218 93219 2c044f 93217->93219 93220 2c04f8 93217->93220 93217->93222 93284 2a7c56 50 API calls _strlen 93218->93284 93286 26cdb9 48 API calls 93219->93286 93287 2a9dc5 103 API calls 93220->93287 93221 2c051e 93221->93137 93222->93221 93278 281c9d 93222->93278 93227 2c0438 93285 26cdb9 48 API calls 93227->93285 93229->93106 93230->93106 93231->93128 93232->93137 93233->93113 93234->93150 93235->93150 93237 26be0d 93236->93237 93238 26be0a ___crtGetEnvironmentStringsW 93236->93238 93239 27f4ea 48 API calls 93237->93239 93238->93160 93240 26be17 93239->93240 93260 27ee75 93240->93260 93243 2a1f3b __wsetenvp 93242->93243 93244 2a1f79 93243->93244 93246 2a1f6f 93243->93246 93247 2a1ffa 93243->93247 93244->93169 93249 26d7f7 93244->93249 93246->93244 93271 27d37a 60 API calls 93246->93271 93247->93244 93272 27d37a 60 API calls 93247->93272 93250 27f4ea 48 API calls 93249->93250 93251 26d818 93250->93251 93252 27f4ea 48 API calls 93251->93252 93253 26d826 93252->93253 93254 2669e9 48 API calls ___crtGetEnvironmentStringsW 93253->93254 93254->93167 93256 26b199 93255->93256 93258 26b1a2 ___crtGetEnvironmentStringsW 93255->93258 93257 26bdfa 48 API calls 93256->93257 93256->93258 93257->93258 93258->93169 93259->93170 93263 27f4ea __calloc_impl 93260->93263 93261 28395c _W_store_winword 47 API calls 93261->93263 93262 27f50c 93262->93238 93263->93261 93263->93262 93264 27f50e std::exception::exception 93263->93264 93269 286805 RaiseException 93264->93269 93266 27f538 93270 28673b 47 API calls _free 93266->93270 93268 27f54a 93268->93238 93269->93266 93270->93268 93271->93246 93272->93247 93273->93184 93274->93192 93275->93198 93276->93212 93277->93210 93279 281ccf __dosmaperr 93278->93279 93280 281ca6 RtlFreeHeap 93278->93280 93279->93221 93280->93279 93281 281cbb 93280->93281 93288 287c0e 47 API calls __getptd_noexit 93281->93288 93283 281cc1 GetLastError 93283->93279 93284->93227 93285->93222 93286->93222 93287->93222 93288->93283 93318 266b0f 93289->93318 93291 26b69b 93330 26ba85 48 API calls ___crtGetEnvironmentStringsW 93291->93330 93293 26b6b5 Mailbox 93293->92961 93296 26b495 93296->93291 93297 2d397b 93296->93297 93298 2d3939 ___crtGetEnvironmentStringsW 93296->93298 93299 26bcce 48 API calls 93296->93299 93300 26ba85 48 API calls 93296->93300 93304 26b9e4 93296->93304 93309 2d3909 93296->93309 93314 26bdfa 48 API calls 93296->93314 93323 26c413 59 API calls 93296->93323 93324 26bb85 93296->93324 93329 26bc74 48 API calls 93296->93329 93331 26c6a5 49 API calls 93296->93331 93332 26c799 93296->93332 93344 2a26bc 88 API calls 4 library calls 93297->93344 93343 2a26bc 88 API calls 4 library calls 93298->93343 93299->93296 93300->93296 93303 2d3973 93303->93293 93346 2a26bc 88 API calls 4 library calls 93304->93346 93305 2d3989 93345 26ba85 48 API calls ___crtGetEnvironmentStringsW 93305->93345 93340 266b4a 93309->93340 93312 2d3914 93316 27f4ea 48 API calls 93312->93316 93315 26b66c CharUpperBuffW 93314->93315 93315->93296 93316->93298 93317->92965 93319 27f4ea 48 API calls 93318->93319 93320 266b34 93319->93320 93321 266b4a 48 API calls 93320->93321 93322 266b43 93321->93322 93322->93296 93323->93296 93325 26bb9b 93324->93325 93328 26bb96 ___crtGetEnvironmentStringsW 93324->93328 93326 2d1b77 93325->93326 93327 27ee75 48 API calls 93325->93327 93327->93328 93328->93296 93329->93296 93330->93293 93331->93296 93333 2d1f17 93332->93333 93336 26c7b0 93332->93336 93334 266b4a 48 API calls 93333->93334 93335 2d1f21 93334->93335 93338 27f4ea 48 API calls 93335->93338 93337 26c7bd ___crtGetEnvironmentStringsW 93336->93337 93339 27ee75 48 API calls 93336->93339 93337->93296 93338->93337 93339->93337 93341 27f4ea 48 API calls 93340->93341 93342 266b54 93341->93342 93342->93312 93343->93303 93344->93305 93345->93303 93346->93303 93348 26d654 93347->93348 93356 26d67e 93347->93356 93349 26d65b 93348->93349 93353 26d6c2 93348->93353 93350 26d6ab 93349->93350 93351 26d666 93349->93351 93350->93356 93379 27dce0 53 API calls 93350->93379 93378 26d9a0 53 API calls __cinit 93351->93378 93353->93350 93380 27dce0 53 API calls 93353->93380 93356->92987 93357->92987 93359 265197 93358->93359 93360 2d1ace 93359->93360 93361 26519f 93359->93361 93362 266b4a 48 API calls 93360->93362 93381 265130 93361->93381 93365 2d1adb __wsetenvp 93362->93365 93364 2651aa 93368 26510d 93364->93368 93366 27ee75 48 API calls 93365->93366 93367 2d1b07 ___crtGetEnvironmentStringsW 93366->93367 93369 26511f 93368->93369 93370 2d1be7 93368->93370 93391 26b384 93369->93391 93400 29a58f 48 API calls ___crtGetEnvironmentStringsW 93370->93400 93373 26512b 93373->92975 93374 2d1bf1 93375 266eed 48 API calls 93374->93375 93376 2d1bf9 Mailbox 93375->93376 93377->92976 93378->93356 93379->93356 93380->93350 93382 26513f __wsetenvp 93381->93382 93383 265151 93382->93383 93384 2d1b27 93382->93384 93385 26bb85 48 API calls 93383->93385 93386 266b4a 48 API calls 93384->93386 93388 26515e ___crtGetEnvironmentStringsW 93385->93388 93387 2d1b34 93386->93387 93389 27ee75 48 API calls 93387->93389 93388->93364 93390 2d1b57 ___crtGetEnvironmentStringsW 93389->93390 93392 26b392 93391->93392 93393 26b3c5 ___crtGetEnvironmentStringsW 93391->93393 93392->93393 93394 26b3fd 93392->93394 93395 26b3b8 93392->93395 93393->93373 93393->93393 93397 27f4ea 48 API calls 93394->93397 93396 26bb85 48 API calls 93395->93396 93396->93393 93398 26b407 93397->93398 93399 27f4ea 48 API calls 93398->93399 93399->93393 93400->93374 93401->93049 93402->93015 93403->93022 93405 274637 93404->93405 93406 27479f 93404->93406 93408 274643 93405->93408 93409 2d6e05 93405->93409 93407 26ce19 48 API calls 93406->93407 93416 2746e4 Mailbox 93407->93416 93502 274300 335 API calls ___crtGetEnvironmentStringsW 93408->93502 93411 2be822 335 API calls 93409->93411 93412 2d6e11 93411->93412 93413 274739 Mailbox 93412->93413 93503 2acc5c 86 API calls 4 library calls 93412->93503 93413->93049 93415 274659 93415->93412 93415->93413 93415->93416 93419 2b6ff0 335 API calls 93416->93419 93452 264252 93416->93452 93458 2a6524 93416->93458 93461 2afa0c 93416->93461 93419->93413 93421->93025 93422->93030 94517 26bd30 93423->94517 93425 273267 93433 273313 Mailbox ___crtGetEnvironmentStringsW 93425->93433 94590 27c36b 86 API calls 93425->94590 93427 27c3c3 48 API calls 93427->93433 93428 2acc5c 86 API calls 93428->93433 93431 26fe30 335 API calls 93431->93433 93432 26d645 53 API calls 93432->93433 93433->93427 93433->93428 93433->93431 93433->93432 93434 27c2d6 48 API calls 93433->93434 93443 27f4ea 48 API calls 93433->93443 93445 266eed 48 API calls 93433->93445 93447 26dcae 50 API calls 93433->93447 93448 273635 Mailbox 93433->93448 94522 262b7a 93433->94522 94529 26e8d0 93433->94529 94591 26d9a0 53 API calls __cinit 93433->94591 94592 26d8c0 53 API calls 93433->94592 94593 2bf320 335 API calls 93433->94593 94594 2bf5ee 335 API calls 93433->94594 94595 261caa 49 API calls 93433->94595 94596 2bcda2 82 API calls Mailbox 93433->94596 94597 2a80e3 53 API calls 93433->94597 94598 26d764 55 API calls 93433->94598 94599 26d6e9 93433->94599 94603 2ac942 50 API calls 93433->94603 93434->93433 93443->93433 93445->93433 93447->93433 93448->93049 93449->93041 93450->93043 93451->93047 93453 26425c 93452->93453 93454 264263 93452->93454 93504 2835e4 93453->93504 93456 264272 93454->93456 93457 264283 FreeLibrary 93454->93457 93456->93413 93457->93456 93807 2a6ca9 GetFileAttributesW 93458->93807 93462 2afa1c __ftell_nolock 93461->93462 93463 2afa44 93462->93463 93899 26d286 48 API calls 93462->93899 93465 26936c 81 API calls 93463->93465 93466 2afa5e 93465->93466 93467 2afb68 93466->93467 93468 2afa80 93466->93468 93477 2afb92 93466->93477 93811 2641a9 93467->93811 93470 26936c 81 API calls 93468->93470 93475 2afa8c _wcscpy _wcschr 93470->93475 93472 2afb8e 93473 26936c 81 API calls 93472->93473 93472->93477 93476 2afbc7 93473->93476 93474 2641a9 136 API calls 93474->93472 93479 2afade _wcscat 93475->93479 93482 2afab0 _wcscat _wcscpy 93475->93482 93835 281dfc 93476->93835 93477->93413 93480 26936c 81 API calls 93479->93480 93481 2afafc _wcscpy 93480->93481 93900 2a72cb GetFileAttributesW 93481->93900 93485 26936c 81 API calls 93482->93485 93483 2afbeb _wcscat _wcscpy 93490 26936c 81 API calls 93483->93490 93485->93479 93486 2afb1c __wsetenvp 93486->93477 93487 26936c 81 API calls 93486->93487 93488 2afb48 93487->93488 93901 2a60dd 77 API calls 4 library calls 93488->93901 93492 2afc82 93490->93492 93491 2afb5c 93491->93477 93838 2a690b 93492->93838 93494 2afca2 93495 2a6524 3 API calls 93494->93495 93496 2afcb1 93495->93496 93497 26936c 81 API calls 93496->93497 93500 2afce2 93496->93500 93498 2afccb 93497->93498 93844 2abfa4 93498->93844 93501 264252 84 API calls 93500->93501 93501->93477 93502->93415 93503->93413 93505 2835f0 _flsall 93504->93505 93506 28361c 93505->93506 93507 283604 93505->93507 93512 283614 _flsall 93506->93512 93517 284e1c 93506->93517 93539 287c0e 47 API calls __getptd_noexit 93507->93539 93509 283609 93540 286e10 8 API calls __wcsnicmp_l 93509->93540 93512->93454 93518 284e2c 93517->93518 93519 284e4e EnterCriticalSection 93517->93519 93518->93519 93520 284e34 93518->93520 93521 28362e 93519->93521 93542 287cf4 93520->93542 93523 283578 93521->93523 93524 28359b 93523->93524 93525 283587 93523->93525 93526 283597 93524->93526 93580 282c84 93524->93580 93620 287c0e 47 API calls __getptd_noexit 93525->93620 93541 283653 LeaveCriticalSection LeaveCriticalSection _fseek 93526->93541 93529 28358c 93621 286e10 8 API calls __wcsnicmp_l 93529->93621 93535 2835b5 93597 28e9d2 93535->93597 93537 2835bb 93537->93526 93538 281c9d _free 47 API calls 93537->93538 93538->93526 93539->93509 93540->93512 93541->93512 93543 287d18 EnterCriticalSection 93542->93543 93544 287d05 93542->93544 93543->93521 93549 287d7c 93544->93549 93546 287d0b 93546->93543 93573 28115b 47 API calls 3 library calls 93546->93573 93550 287d88 _flsall 93549->93550 93551 287da9 93550->93551 93552 287d91 93550->93552 93554 287da7 93551->93554 93562 287e11 _flsall 93551->93562 93574 2881c2 47 API calls 2 library calls 93552->93574 93554->93551 93577 2869d0 47 API calls _W_store_winword 93554->93577 93555 287d96 93575 28821f 47 API calls 8 library calls 93555->93575 93558 287dbd 93559 287dd3 93558->93559 93560 287dc4 93558->93560 93564 287cf4 __lock 46 API calls 93559->93564 93578 287c0e 47 API calls __getptd_noexit 93560->93578 93561 287d9d 93576 281145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93561->93576 93562->93546 93567 287dda 93564->93567 93566 287dc9 93566->93562 93568 287de9 InitializeCriticalSectionAndSpinCount 93567->93568 93569 287dfe 93567->93569 93570 287e04 93568->93570 93571 281c9d _free 46 API calls 93569->93571 93579 287e1a LeaveCriticalSection _doexit 93570->93579 93571->93570 93574->93555 93575->93561 93577->93558 93578->93566 93579->93562 93581 282c97 93580->93581 93585 282cbb 93580->93585 93582 282933 __ftell_nolock 47 API calls 93581->93582 93581->93585 93583 282cb4 93582->93583 93622 28af61 93583->93622 93586 28eb36 93585->93586 93587 2835af 93586->93587 93588 28eb43 93586->93588 93590 282933 93587->93590 93588->93587 93589 281c9d _free 47 API calls 93588->93589 93589->93587 93591 28293d 93590->93591 93592 282952 93590->93592 93763 287c0e 47 API calls __getptd_noexit 93591->93763 93592->93535 93594 282942 93764 286e10 8 API calls __wcsnicmp_l 93594->93764 93596 28294d 93596->93535 93598 28e9de _flsall 93597->93598 93599 28e9fe 93598->93599 93600 28e9e6 93598->93600 93602 28ea7b 93599->93602 93605 28ea28 93599->93605 93780 287bda 47 API calls __getptd_noexit 93600->93780 93784 287bda 47 API calls __getptd_noexit 93602->93784 93603 28e9eb 93781 287c0e 47 API calls __getptd_noexit 93603->93781 93608 28a8ed ___lock_fhandle 49 API calls 93605->93608 93607 28ea80 93785 287c0e 47 API calls __getptd_noexit 93607->93785 93612 28ea2e 93608->93612 93609 28e9f3 _flsall 93609->93537 93611 28ea88 93786 286e10 8 API calls __wcsnicmp_l 93611->93786 93614 28ea4c 93612->93614 93615 28ea41 93612->93615 93782 287c0e 47 API calls __getptd_noexit 93614->93782 93765 28ea9c 93615->93765 93618 28ea47 93783 28ea73 LeaveCriticalSection __unlock_fhandle 93618->93783 93620->93529 93621->93526 93623 28af6d _flsall 93622->93623 93624 28af75 93623->93624 93629 28af8d 93623->93629 93720 287bda 47 API calls __getptd_noexit 93624->93720 93625 28b022 93725 287bda 47 API calls __getptd_noexit 93625->93725 93627 28af7a 93721 287c0e 47 API calls __getptd_noexit 93627->93721 93629->93625 93632 28afbf 93629->93632 93631 28b027 93726 287c0e 47 API calls __getptd_noexit 93631->93726 93647 28a8ed 93632->93647 93635 28b02f 93727 286e10 8 API calls __wcsnicmp_l 93635->93727 93636 28afc5 93638 28afd8 93636->93638 93639 28afeb 93636->93639 93656 28b043 93638->93656 93722 287c0e 47 API calls __getptd_noexit 93639->93722 93641 28af82 _flsall 93641->93585 93643 28afe4 93724 28b01a LeaveCriticalSection __unlock_fhandle 93643->93724 93644 28aff0 93723 287bda 47 API calls __getptd_noexit 93644->93723 93648 28a8f9 _flsall 93647->93648 93649 28a946 EnterCriticalSection 93648->93649 93650 287cf4 __lock 47 API calls 93648->93650 93651 28a96c _flsall 93649->93651 93652 28a91d 93650->93652 93651->93636 93653 28a928 InitializeCriticalSectionAndSpinCount 93652->93653 93654 28a93a 93652->93654 93653->93654 93728 28a970 LeaveCriticalSection _doexit 93654->93728 93657 28b050 __ftell_nolock 93656->93657 93658 28b0ac 93657->93658 93659 28b08d 93657->93659 93689 28b082 93657->93689 93662 28b105 93658->93662 93663 28b0e9 93658->93663 93738 287bda 47 API calls __getptd_noexit 93659->93738 93667 28b11c 93662->93667 93744 28f82f 49 API calls 3 library calls 93662->93744 93741 287bda 47 API calls __getptd_noexit 93663->93741 93664 28b86b 93664->93643 93665 28b092 93739 287c0e 47 API calls __getptd_noexit 93665->93739 93729 293bf2 93667->93729 93670 28b0ee 93742 287c0e 47 API calls __getptd_noexit 93670->93742 93672 28b099 93740 286e10 8 API calls __wcsnicmp_l 93672->93740 93674 28b12a 93676 28b44b 93674->93676 93745 287a0d 47 API calls 2 library calls 93674->93745 93678 28b7b8 WriteFile 93676->93678 93679 28b463 93676->93679 93677 28b0f5 93743 286e10 8 API calls __wcsnicmp_l 93677->93743 93683 28b7e1 GetLastError 93678->93683 93688 28b410 93678->93688 93682 28b55a 93679->93682 93692 28b479 93679->93692 93693 28b663 93682->93693 93696 28b565 93682->93696 93683->93688 93684 28b150 GetConsoleMode 93684->93676 93686 28b189 93684->93686 93685 28b81b 93685->93689 93750 287c0e 47 API calls __getptd_noexit 93685->93750 93686->93676 93690 28b199 GetConsoleCP 93686->93690 93688->93685 93688->93689 93695 28b7f7 93688->93695 93752 28a70c 93689->93752 93690->93688 93718 28b1c2 93690->93718 93691 28b4e9 WriteFile 93691->93683 93697 28b526 93691->93697 93692->93685 93692->93691 93693->93685 93698 28b6d8 WideCharToMultiByte 93693->93698 93694 28b843 93751 287bda 47 API calls __getptd_noexit 93694->93751 93700 28b7fe 93695->93700 93701 28b812 93695->93701 93696->93685 93702 28b5de WriteFile 93696->93702 93697->93688 93697->93692 93703 28b555 93697->93703 93698->93683 93712 28b71f 93698->93712 93747 287c0e 47 API calls __getptd_noexit 93700->93747 93749 287bed 47 API calls 3 library calls 93701->93749 93702->93683 93706 28b62d 93702->93706 93703->93688 93706->93688 93706->93696 93706->93703 93707 28b727 WriteFile 93710 28b77a GetLastError 93707->93710 93707->93712 93708 28b803 93748 287bda 47 API calls __getptd_noexit 93708->93748 93710->93712 93712->93688 93712->93693 93712->93703 93712->93707 93713 295884 WriteConsoleW CreateFileW __chsize_nolock 93716 28b2f6 93713->93716 93714 2940f7 59 API calls __chsize_nolock 93714->93718 93715 28b28f WideCharToMultiByte 93715->93688 93717 28b2ca WriteFile 93715->93717 93716->93683 93716->93688 93716->93713 93716->93718 93719 28b321 WriteFile 93716->93719 93717->93683 93717->93716 93718->93688 93718->93714 93718->93715 93718->93716 93746 281688 57 API calls __isleadbyte_l 93718->93746 93719->93683 93719->93716 93720->93627 93721->93641 93722->93644 93723->93643 93724->93641 93725->93631 93726->93635 93727->93641 93728->93649 93730 293c0a 93729->93730 93731 293bfd 93729->93731 93733 293c16 93730->93733 93760 287c0e 47 API calls __getptd_noexit 93730->93760 93759 287c0e 47 API calls __getptd_noexit 93731->93759 93733->93674 93735 293c02 93735->93674 93736 293c37 93761 286e10 8 API calls __wcsnicmp_l 93736->93761 93738->93665 93739->93672 93740->93689 93741->93670 93742->93677 93743->93689 93744->93667 93745->93684 93746->93718 93747->93708 93748->93689 93749->93689 93750->93694 93751->93689 93753 28a714 93752->93753 93754 28a716 IsProcessorFeaturePresent 93752->93754 93753->93664 93756 2937b0 93754->93756 93762 29375f 5 API calls 2 library calls 93756->93762 93758 293893 93758->93664 93759->93735 93760->93736 93761->93735 93762->93758 93763->93594 93764->93596 93787 28aba4 93765->93787 93767 28eb00 93800 28ab1e 48 API calls 2 library calls 93767->93800 93769 28eaaa 93769->93767 93770 28eade 93769->93770 93773 28aba4 __chsize_nolock 47 API calls 93769->93773 93770->93767 93771 28aba4 __chsize_nolock 47 API calls 93770->93771 93774 28eaea CloseHandle 93771->93774 93772 28eb08 93775 28eb2a 93772->93775 93801 287bed 47 API calls 3 library calls 93772->93801 93776 28ead5 93773->93776 93774->93767 93777 28eaf6 GetLastError 93774->93777 93775->93618 93779 28aba4 __chsize_nolock 47 API calls 93776->93779 93777->93767 93779->93770 93780->93603 93781->93609 93782->93618 93783->93609 93784->93607 93785->93611 93786->93609 93788 28abaf 93787->93788 93789 28abc4 93787->93789 93802 287bda 47 API calls __getptd_noexit 93788->93802 93793 28abe9 93789->93793 93804 287bda 47 API calls __getptd_noexit 93789->93804 93792 28abb4 93803 287c0e 47 API calls __getptd_noexit 93792->93803 93793->93769 93794 28abf3 93805 287c0e 47 API calls __getptd_noexit 93794->93805 93797 28abbc 93797->93769 93798 28abfb 93806 286e10 8 API calls __wcsnicmp_l 93798->93806 93800->93772 93801->93775 93802->93792 93803->93797 93804->93794 93805->93798 93806->93797 93808 2a6529 93807->93808 93809 2a6cc4 FindFirstFileW 93807->93809 93808->93413 93809->93808 93810 2a6cd9 FindClose 93809->93810 93810->93808 93902 264214 93811->93902 93816 2641d4 LoadLibraryExW 93912 264291 93816->93912 93817 2d4f73 93818 264252 84 API calls 93817->93818 93820 2d4f7a 93818->93820 93822 264291 3 API calls 93820->93822 93824 2d4f82 93822->93824 93938 2644ed 93824->93938 93825 2641fb 93825->93824 93826 264207 93825->93826 93827 264252 84 API calls 93826->93827 93829 26420c 93827->93829 93829->93472 93829->93474 93832 2d4fa9 93946 264950 93832->93946 94358 281e46 93835->94358 93839 2a6918 _wcschr __ftell_nolock 93838->93839 93840 281dfc __wsplitpath 47 API calls 93839->93840 93843 2a692e _wcscat _wcscpy 93839->93843 93841 2a695d 93840->93841 93842 281dfc __wsplitpath 47 API calls 93841->93842 93842->93843 93843->93494 93845 2abfb1 __ftell_nolock 93844->93845 93846 27f4ea 48 API calls 93845->93846 93847 2ac00e 93846->93847 93848 2647b7 48 API calls 93847->93848 93849 2ac018 93848->93849 93850 2abdb4 GetSystemTimeAsFileTime 93849->93850 93851 2ac023 93850->93851 93852 264517 83 API calls 93851->93852 93853 2ac036 _wcscmp 93852->93853 93854 2ac05a 93853->93854 93855 2ac107 93853->93855 94401 2ac56d 93854->94401 93857 2ac56d 94 API calls 93855->93857 93870 2ac0d3 _wcscat 93857->93870 93859 281dfc __wsplitpath 47 API calls 93864 2ac088 _wcscat _wcscpy 93859->93864 93860 2644ed 64 API calls 93862 2ac12c 93860->93862 93861 2ac110 93861->93500 93863 2644ed 64 API calls 93862->93863 93865 2ac13c 93863->93865 93867 281dfc __wsplitpath 47 API calls 93864->93867 93866 2644ed 64 API calls 93865->93866 93868 2ac157 93866->93868 93867->93870 93869 2644ed 64 API calls 93868->93869 93871 2ac167 93869->93871 93870->93860 93870->93861 93872 2644ed 64 API calls 93871->93872 93899->93463 93900->93486 93901->93491 93951 264339 93902->93951 93905 26423c 93906 264244 FreeLibrary 93905->93906 93907 2641bb 93905->93907 93906->93907 93909 283499 93907->93909 93959 2834ae 93909->93959 93911 2641c8 93911->93816 93911->93817 94115 2642e4 93912->94115 93915 2642b8 93917 2642c1 FreeLibrary 93915->93917 93918 2641ec 93915->93918 93917->93918 93919 264380 93918->93919 93920 27f4ea 48 API calls 93919->93920 93921 264395 93920->93921 94123 2647b7 93921->94123 93923 2643a1 ___crtGetEnvironmentStringsW 93924 2643dc 93923->93924 93926 2644d1 93923->93926 93927 264499 93923->93927 93925 264950 57 API calls 93924->93925 93934 2643e5 93925->93934 94137 2ac750 93 API calls 93926->94137 94126 26406b CreateStreamOnHGlobal 93927->94126 93930 2644ed 64 API calls 93930->93934 93932 264479 93932->93825 93933 2d4ed7 93935 264517 83 API calls 93933->93935 93934->93930 93934->93932 93934->93933 94132 264517 93934->94132 93936 2d4eeb 93935->93936 93937 2644ed 64 API calls 93936->93937 93937->93932 93939 2644ff 93938->93939 93940 2d4fc0 93938->93940 94155 28381e 93939->94155 93943 2abf5a 94335 2abdb4 93943->94335 93945 2abf70 93945->93832 93947 26495f 93946->93947 93948 2d5002 93946->93948 94340 283e65 93947->94340 93950 264967 93955 26434b 93951->93955 93954 264321 LoadLibraryA GetProcAddress 93954->93905 93956 26422f 93955->93956 93957 264354 LoadLibraryA 93955->93957 93956->93905 93956->93954 93957->93956 93958 264365 GetProcAddress 93957->93958 93958->93956 93962 2834ba _flsall 93959->93962 93960 2834cd 94007 287c0e 47 API calls __getptd_noexit 93960->94007 93962->93960 93964 2834fe 93962->93964 93963 2834d2 94008 286e10 8 API calls __wcsnicmp_l 93963->94008 93978 28e4c8 93964->93978 93967 283503 93968 283519 93967->93968 93969 28350c 93967->93969 93971 283543 93968->93971 93972 283523 93968->93972 94009 287c0e 47 API calls __getptd_noexit 93969->94009 93992 28e5e0 93971->93992 94010 287c0e 47 API calls __getptd_noexit 93972->94010 93977 2834dd _flsall @_EH4_CallFilterFunc@8 93977->93911 93979 28e4d4 _flsall 93978->93979 93980 287cf4 __lock 47 API calls 93979->93980 93990 28e4e2 93980->93990 93981 28e552 94012 28e5d7 93981->94012 93982 28e559 94017 2869d0 47 API calls _W_store_winword 93982->94017 93985 28e560 93985->93981 93987 28e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 93985->93987 93986 28e5cc _flsall 93986->93967 93987->93981 93988 287d7c __mtinitlocknum 47 API calls 93988->93990 93990->93981 93990->93982 93990->93988 94015 284e5b 48 API calls __lock 93990->94015 94016 284ec5 LeaveCriticalSection LeaveCriticalSection _doexit 93990->94016 94001 28e600 __wopenfile 93992->94001 93993 28e61a 94022 287c0e 47 API calls __getptd_noexit 93993->94022 93994 28e7d5 93994->93993 93999 28e838 93994->93999 93996 28e61f 94023 286e10 8 API calls __wcsnicmp_l 93996->94023 93998 28354e 94011 283570 LeaveCriticalSection LeaveCriticalSection _fseek 93998->94011 94019 2963c9 93999->94019 94001->93993 94001->93994 94024 28185b 59 API calls __wcsnicmp_l 94001->94024 94003 28e7ce 94003->93994 94025 28185b 59 API calls __wcsnicmp_l 94003->94025 94005 28e7ed 94005->93994 94026 28185b 59 API calls __wcsnicmp_l 94005->94026 94007->93963 94008->93977 94009->93977 94010->93977 94011->93977 94018 287e58 LeaveCriticalSection 94012->94018 94014 28e5de 94014->93986 94015->93990 94016->93990 94017->93985 94018->94014 94027 295bb1 94019->94027 94021 2963e2 94021->93998 94022->93996 94023->93998 94024->94003 94025->94005 94026->93994 94028 295bbd _flsall 94027->94028 94029 295bcf 94028->94029 94031 295c06 94028->94031 94112 287c0e 47 API calls __getptd_noexit 94029->94112 94038 295c78 94031->94038 94032 295bd4 94113 286e10 8 API calls __wcsnicmp_l 94032->94113 94035 295c23 94114 295c4c LeaveCriticalSection __unlock_fhandle 94035->94114 94037 295bde _flsall 94037->94021 94039 295c98 94038->94039 94040 28273b __wsopen_helper 47 API calls 94039->94040 94042 295cb4 94040->94042 94041 286e20 __invoke_watson 8 API calls 94043 2963c8 94041->94043 94045 295cee 94042->94045 94056 295d11 94042->94056 94061 295deb 94042->94061 94044 295bb1 __wsopen_helper 104 API calls 94043->94044 94046 2963e2 94044->94046 94047 287bda __chsize_nolock 47 API calls 94045->94047 94046->94035 94048 295cf3 94047->94048 94049 287c0e __wcsnicmp_l 47 API calls 94048->94049 94050 295d00 94049->94050 94051 286e10 __wcsnicmp_l 8 API calls 94050->94051 94053 295d0a 94051->94053 94052 295dcf 94054 287bda __chsize_nolock 47 API calls 94052->94054 94053->94035 94055 295dd4 94054->94055 94057 287c0e __wcsnicmp_l 47 API calls 94055->94057 94056->94052 94060 295dad 94056->94060 94058 295de1 94057->94058 94059 286e10 __wcsnicmp_l 8 API calls 94058->94059 94059->94061 94062 28a979 __wsopen_helper 52 API calls 94060->94062 94061->94041 94063 295e7b 94062->94063 94064 295e85 94063->94064 94065 295ea6 94063->94065 94067 287bda __chsize_nolock 47 API calls 94064->94067 94066 295b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 94065->94066 94077 295ec8 94066->94077 94068 295e8a 94067->94068 94070 287c0e __wcsnicmp_l 47 API calls 94068->94070 94069 295f46 GetFileType 94071 295f51 GetLastError 94069->94071 94072 295f93 94069->94072 94074 295e94 94070->94074 94076 287bed __dosmaperr 47 API calls 94071->94076 94084 28ac0b __set_osfhnd 48 API calls 94072->94084 94073 295f14 GetLastError 94078 287bed __dosmaperr 47 API calls 94073->94078 94075 287c0e __wcsnicmp_l 47 API calls 94074->94075 94075->94053 94079 295f78 CloseHandle 94076->94079 94077->94069 94077->94073 94080 295b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 94077->94080 94081 295f39 94078->94081 94079->94081 94082 295f86 94079->94082 94083 295f09 94080->94083 94086 287c0e __wcsnicmp_l 47 API calls 94081->94086 94085 287c0e __wcsnicmp_l 47 API calls 94082->94085 94083->94069 94083->94073 94089 295fb1 94084->94089 94087 295f8b 94085->94087 94086->94061 94087->94081 94088 29616c 94088->94061 94091 29633f CloseHandle 94088->94091 94089->94088 94090 28f82f __lseeki64_nolock 49 API calls 94089->94090 94100 296032 94089->94100 94092 29601b 94090->94092 94093 295b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 94091->94093 94095 287bda __chsize_nolock 47 API calls 94092->94095 94092->94100 94094 296366 94093->94094 94097 29636e GetLastError 94094->94097 94098 29639a 94094->94098 94095->94100 94096 28ee0e 59 API calls __wsopen_helper 94096->94100 94099 287bed __dosmaperr 47 API calls 94097->94099 94098->94061 94101 29637a 94099->94101 94100->94088 94100->94096 94102 28ea9c __close_nolock 50 API calls 94100->94102 94103 296064 94100->94103 94106 28f82f 49 API calls __lseeki64_nolock 94100->94106 94107 28af61 __flush 78 API calls 94100->94107 94108 2961e9 94100->94108 94105 28ab1e __free_osfhnd 48 API calls 94101->94105 94102->94100 94103->94100 94104 296f40 __chsize_nolock 81 API calls 94103->94104 94104->94103 94105->94098 94106->94100 94107->94100 94109 28ea9c __close_nolock 50 API calls 94108->94109 94110 2961f0 94109->94110 94111 287c0e __wcsnicmp_l 47 API calls 94110->94111 94111->94061 94112->94032 94113->94037 94114->94037 94119 2642f6 94115->94119 94118 2642cc LoadLibraryA GetProcAddress 94118->93915 94120 2642aa 94119->94120 94121 2642ff LoadLibraryA 94119->94121 94120->93915 94120->94118 94121->94120 94122 264310 GetProcAddress 94121->94122 94122->94120 94124 27f4ea 48 API calls 94123->94124 94125 2647c9 94124->94125 94125->93923 94127 264085 FindResourceExW 94126->94127 94131 2640a2 94126->94131 94128 2d4f16 LoadResource 94127->94128 94127->94131 94129 2d4f2b SizeofResource 94128->94129 94128->94131 94130 2d4f3f LockResource 94129->94130 94129->94131 94130->94131 94131->93924 94133 264526 94132->94133 94134 2d4fe0 94132->94134 94138 283a8d 94133->94138 94136 264534 94136->93934 94137->93924 94139 283a99 _flsall 94138->94139 94140 283aa7 94139->94140 94141 283acd 94139->94141 94151 287c0e 47 API calls __getptd_noexit 94140->94151 94143 284e1c __lock_file 48 API calls 94141->94143 94146 283ad3 94143->94146 94144 283aac 94152 286e10 8 API calls __wcsnicmp_l 94144->94152 94153 2839fe 81 API calls 3 library calls 94146->94153 94148 283ae2 94154 283b04 LeaveCriticalSection LeaveCriticalSection _fseek 94148->94154 94150 283ab7 _flsall 94150->94136 94151->94144 94152->94150 94153->94148 94154->94150 94158 283839 94155->94158 94157 264510 94157->93943 94159 283845 _flsall 94158->94159 94160 283888 94159->94160 94161 28385b _memset 94159->94161 94162 283880 _flsall 94159->94162 94163 284e1c __lock_file 48 API calls 94160->94163 94185 287c0e 47 API calls __getptd_noexit 94161->94185 94162->94157 94164 28388e 94163->94164 94171 28365b 94164->94171 94167 283875 94186 286e10 8 API calls __wcsnicmp_l 94167->94186 94172 283691 94171->94172 94175 283676 _memset 94171->94175 94187 2838c2 LeaveCriticalSection LeaveCriticalSection _fseek 94172->94187 94173 283681 94279 287c0e 47 API calls __getptd_noexit 94173->94279 94175->94172 94175->94173 94178 2836cf 94175->94178 94178->94172 94179 282933 __ftell_nolock 47 API calls 94178->94179 94182 2837e0 _memset 94178->94182 94188 28ee0e 94178->94188 94259 28eb66 94178->94259 94281 28ec87 47 API calls 3 library calls 94178->94281 94179->94178 94282 287c0e 47 API calls __getptd_noexit 94182->94282 94184 283686 94280 286e10 8 API calls __wcsnicmp_l 94184->94280 94185->94167 94186->94162 94187->94162 94189 28ee2f 94188->94189 94190 28ee46 94188->94190 94283 287bda 47 API calls __getptd_noexit 94189->94283 94192 28f57e 94190->94192 94196 28ee80 94190->94196 94299 287bda 47 API calls __getptd_noexit 94192->94299 94193 28ee34 94284 287c0e 47 API calls __getptd_noexit 94193->94284 94198 28ee88 94196->94198 94204 28ee9f 94196->94204 94197 28f583 94300 287c0e 47 API calls __getptd_noexit 94197->94300 94285 287bda 47 API calls __getptd_noexit 94198->94285 94200 28ee94 94301 286e10 8 API calls __wcsnicmp_l 94200->94301 94202 28ee8d 94286 287c0e 47 API calls __getptd_noexit 94202->94286 94205 28eeb4 94204->94205 94207 28eece 94204->94207 94209 28eeec 94204->94209 94239 28ee3b 94204->94239 94287 287bda 47 API calls __getptd_noexit 94205->94287 94207->94205 94214 28eed9 94207->94214 94288 2869d0 47 API calls _W_store_winword 94209->94288 94212 28eefc 94215 28ef1f 94212->94215 94216 28ef04 94212->94216 94213 293bf2 __stbuf 47 API calls 94217 28efed 94213->94217 94214->94213 94291 28f82f 49 API calls 3 library calls 94215->94291 94289 287c0e 47 API calls __getptd_noexit 94216->94289 94219 28f066 ReadFile 94217->94219 94224 28f003 GetConsoleMode 94217->94224 94222 28f088 94219->94222 94223 28f546 GetLastError 94219->94223 94221 28ef09 94290 287bda 47 API calls __getptd_noexit 94221->94290 94222->94223 94232 28f058 94222->94232 94227 28f046 94223->94227 94228 28f553 94223->94228 94229 28f063 94224->94229 94230 28f017 94224->94230 94225 28ef2d 94225->94214 94241 28f04c 94227->94241 94292 287bed 47 API calls 3 library calls 94227->94292 94297 287c0e 47 API calls __getptd_noexit 94228->94297 94229->94219 94230->94229 94234 28f01d ReadConsoleW 94230->94234 94231 28ef14 94231->94239 94232->94241 94243 28f0bd 94232->94243 94251 28f32a 94232->94251 94234->94232 94236 28f040 GetLastError 94234->94236 94235 28f558 94298 287bda 47 API calls __getptd_noexit 94235->94298 94236->94227 94239->94178 94240 281c9d _free 47 API calls 94240->94239 94241->94239 94241->94240 94242 28f129 ReadFile 94245 28f14a GetLastError 94242->94245 94253 28f154 94242->94253 94243->94242 94249 28f1aa 94243->94249 94245->94253 94246 28f267 94255 28f217 MultiByteToWideChar 94246->94255 94295 28f82f 49 API calls 3 library calls 94246->94295 94247 28f257 94294 287c0e 47 API calls __getptd_noexit 94247->94294 94248 28f430 ReadFile 94252 28f453 GetLastError 94248->94252 94258 28f461 94248->94258 94249->94241 94249->94246 94249->94247 94249->94255 94251->94241 94251->94248 94252->94258 94253->94243 94293 28f82f 49 API calls 3 library calls 94253->94293 94255->94236 94255->94241 94258->94251 94296 28f82f 49 API calls 3 library calls 94258->94296 94260 28eb71 94259->94260 94261 28eb86 94259->94261 94332 287c0e 47 API calls __getptd_noexit 94260->94332 94265 28ebbb 94261->94265 94273 28eb81 94261->94273 94334 293e24 47 API calls __malloc_crt 94261->94334 94263 28eb76 94333 286e10 8 API calls __wcsnicmp_l 94263->94333 94267 282933 __ftell_nolock 47 API calls 94265->94267 94268 28ebcf 94267->94268 94302 28ed06 94268->94302 94270 28ebd6 94271 282933 __ftell_nolock 47 API calls 94270->94271 94270->94273 94272 28ebf9 94271->94272 94272->94273 94274 282933 __ftell_nolock 47 API calls 94272->94274 94273->94178 94275 28ec05 94274->94275 94275->94273 94276 282933 __ftell_nolock 47 API calls 94275->94276 94277 28ec12 94276->94277 94278 282933 __ftell_nolock 47 API calls 94277->94278 94278->94273 94279->94184 94280->94172 94281->94178 94282->94184 94283->94193 94284->94239 94285->94202 94286->94200 94287->94202 94288->94212 94289->94221 94290->94231 94291->94225 94292->94241 94293->94253 94294->94241 94295->94255 94296->94258 94297->94235 94298->94241 94299->94197 94300->94200 94301->94239 94303 28ed12 _flsall 94302->94303 94304 28ed1a 94303->94304 94305 28ed32 94303->94305 94307 287bda __chsize_nolock 47 API calls 94304->94307 94306 28eded 94305->94306 94310 28ed68 94305->94310 94308 287bda __chsize_nolock 47 API calls 94306->94308 94309 28ed1f 94307->94309 94311 28edf2 94308->94311 94312 287c0e __wcsnicmp_l 47 API calls 94309->94312 94313 28ed8a 94310->94313 94314 28ed75 94310->94314 94315 287c0e __wcsnicmp_l 47 API calls 94311->94315 94325 28ed27 _flsall 94312->94325 94317 28a8ed ___lock_fhandle 49 API calls 94313->94317 94316 287bda __chsize_nolock 47 API calls 94314->94316 94318 28ed82 94315->94318 94319 28ed7a 94316->94319 94320 28ed90 94317->94320 94324 286e10 __wcsnicmp_l 8 API calls 94318->94324 94321 287c0e __wcsnicmp_l 47 API calls 94319->94321 94322 28eda3 94320->94322 94323 28edb6 94320->94323 94321->94318 94326 28ee0e __wsopen_helper 59 API calls 94322->94326 94327 287c0e __wcsnicmp_l 47 API calls 94323->94327 94324->94325 94325->94270 94329 28edaf 94326->94329 94328 28edbb 94327->94328 94330 287bda __chsize_nolock 47 API calls 94328->94330 94331 28ede5 __filbuf LeaveCriticalSection 94329->94331 94330->94329 94331->94325 94332->94263 94333->94273 94334->94265 94338 28344a GetSystemTimeAsFileTime 94335->94338 94337 2abdc3 94337->93945 94339 283478 __aulldiv 94338->94339 94339->94337 94341 283e71 _flsall 94340->94341 94342 283e7f 94341->94342 94343 283e94 94341->94343 94354 287c0e 47 API calls __getptd_noexit 94342->94354 94345 284e1c __lock_file 48 API calls 94343->94345 94347 283e9a 94345->94347 94346 283e84 94355 286e10 8 API calls __wcsnicmp_l 94346->94355 94356 283b0c 55 API calls 4 library calls 94347->94356 94350 283ea5 94357 283ec5 LeaveCriticalSection LeaveCriticalSection _fseek 94350->94357 94352 283eb7 94353 283e8f _flsall 94352->94353 94353->93950 94354->94346 94355->94353 94356->94350 94357->94352 94359 281e55 94358->94359 94360 281e61 94358->94360 94359->94360 94369 281ed4 94359->94369 94377 289d6b 47 API calls __wcsnicmp_l 94359->94377 94382 287c0e 47 API calls __getptd_noexit 94360->94382 94362 282019 94367 281e41 94362->94367 94383 286e10 8 API calls __wcsnicmp_l 94362->94383 94365 281fa0 94365->94360 94365->94367 94370 281fb0 94365->94370 94366 281f5f 94366->94360 94368 281f7b 94366->94368 94379 289d6b 47 API calls __wcsnicmp_l 94366->94379 94367->93483 94368->94360 94368->94367 94373 281f91 94368->94373 94369->94360 94376 281f41 94369->94376 94378 289d6b 47 API calls __wcsnicmp_l 94369->94378 94381 289d6b 47 API calls __wcsnicmp_l 94370->94381 94380 289d6b 47 API calls __wcsnicmp_l 94373->94380 94376->94365 94376->94366 94377->94369 94378->94376 94379->94368 94380->94367 94381->94367 94382->94362 94383->94367 94402 2ac581 __tzset_nolock _wcscmp 94401->94402 94403 2644ed 64 API calls 94402->94403 94404 2abf5a GetSystemTimeAsFileTime 94402->94404 94405 2ac05f 94402->94405 94406 264517 83 API calls 94402->94406 94403->94402 94404->94402 94405->93859 94405->93861 94406->94402 94518 26bd3f 94517->94518 94521 26bd5a 94517->94521 94519 26bdfa 48 API calls 94518->94519 94520 26bd47 CharUpperBuffW 94519->94520 94520->94521 94521->93425 94523 2d436a 94522->94523 94524 262b8b 94522->94524 94525 27f4ea 48 API calls 94524->94525 94526 262b92 94525->94526 94527 262bb3 94526->94527 94604 262bce 48 API calls 94526->94604 94527->93433 94530 26e8f6 94529->94530 94589 26e906 Mailbox 94529->94589 94531 26ed52 94530->94531 94530->94589 94688 27e3cd 335 API calls 94531->94688 94533 26ebc7 94534 26ebdd 94533->94534 94689 262ff6 16 API calls 94533->94689 94534->93433 94536 26ed63 94536->94534 94537 26ed70 94536->94537 94690 27e312 335 API calls Mailbox 94537->94690 94538 26e94c PeekMessageW 94538->94589 94540 2d526e Sleep 94540->94589 94541 26ed77 LockWindowUpdate DestroyWindow GetMessageW 94541->94534 94543 26eda9 94541->94543 94545 2d59ef TranslateMessage DispatchMessageW GetMessageW 94543->94545 94545->94545 94546 2d5a1f 94545->94546 94546->94534 94547 26ed21 PeekMessageW 94547->94589 94548 261caa 49 API calls 94548->94589 94549 27f4ea 48 API calls 94549->94589 94550 26ebf7 timeGetTime 94550->94589 94552 266eed 48 API calls 94552->94589 94553 2d5557 WaitForSingleObject 94556 2d5574 GetExitCodeProcess CloseHandle 94553->94556 94553->94589 94554 26ed3a TranslateMessage DispatchMessageW 94554->94547 94555 2d588f Sleep 94584 2d5429 Mailbox 94555->94584 94556->94589 94557 26d7f7 48 API calls 94557->94584 94558 26edae timeGetTime 94691 261caa 49 API calls 94558->94691 94560 2d5733 Sleep 94560->94584 94563 27dc38 timeGetTime 94563->94584 94564 2d5926 GetExitCodeProcess 94567 2d593c WaitForSingleObject 94564->94567 94568 2d5952 CloseHandle 94564->94568 94566 262aae 311 API calls 94566->94589 94567->94568 94567->94589 94568->94584 94569 2d5445 Sleep 94569->94589 94570 262c79 107 API calls 94570->94584 94572 2d5432 Sleep 94572->94569 94573 2c8c4b 108 API calls 94573->94584 94574 2d59ae Sleep 94574->94589 94576 26ce19 48 API calls 94576->94584 94579 26fe30 311 API calls 94579->94589 94580 26d6e9 55 API calls 94580->94584 94582 2745e0 311 API calls 94582->94589 94583 273200 311 API calls 94583->94589 94584->94557 94584->94563 94584->94564 94584->94569 94584->94570 94584->94572 94584->94573 94584->94574 94584->94576 94584->94580 94584->94589 94693 2a4cbe 49 API calls Mailbox 94584->94693 94694 261caa 49 API calls 94584->94694 94695 262aae 335 API calls 94584->94695 94696 2bccb2 50 API calls 94584->94696 94697 2a7a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 94584->94697 94698 2a6532 63 API calls 3 library calls 94584->94698 94585 2acc5c 86 API calls 94585->94589 94587 26ce19 48 API calls 94587->94589 94588 26d6e9 55 API calls 94588->94589 94589->94533 94589->94538 94589->94540 94589->94547 94589->94548 94589->94549 94589->94550 94589->94552 94589->94553 94589->94554 94589->94555 94589->94558 94589->94560 94589->94566 94589->94569 94589->94579 94589->94582 94589->94583 94589->94584 94589->94585 94589->94587 94589->94588 94605 26ef00 94589->94605 94612 26f110 94589->94612 94677 27e244 94589->94677 94682 27dc5f 94589->94682 94687 26eed0 335 API calls Mailbox 94589->94687 94692 2c8d23 48 API calls 94589->94692 94590->93433 94591->93433 94592->93433 94593->93433 94594->93433 94595->93433 94596->93433 94597->93433 94598->93433 94600 26d6f4 94599->94600 94602 26d71b 94600->94602 94722 26d764 55 API calls 94600->94722 94602->93433 94603->93433 94604->94527 94606 26ef2f 94605->94606 94607 26ef1d 94605->94607 94700 2acc5c 86 API calls 4 library calls 94606->94700 94699 26e3b0 335 API calls 2 library calls 94607->94699 94609 26ef26 94609->94589 94611 2d86f9 94611->94611 94613 26f130 94612->94613 94615 26fe30 335 API calls 94613->94615 94619 26f199 94613->94619 94614 26f595 94622 26d7f7 48 API calls 94614->94622 94660 26f431 Mailbox 94614->94660 94616 2d8728 94615->94616 94616->94619 94702 2acc5c 86 API calls 4 library calls 94616->94702 94617 2d87c8 94705 2acc5c 86 API calls 4 library calls 94617->94705 94619->94614 94623 26d7f7 48 API calls 94619->94623 94661 26f229 94619->94661 94665 26f3dd 94619->94665 94620 26f418 94631 2d8b1b 94620->94631 94648 26f6aa 94620->94648 94620->94660 94624 2d87a3 94622->94624 94626 2d8772 94623->94626 94704 280f0a 52 API calls __cinit 94624->94704 94625 26f3f2 94625->94620 94706 2a9af1 48 API calls 94625->94706 94703 280f0a 52 API calls __cinit 94626->94703 94629 26f770 94634 2d8a45 94629->94634 94654 26f77a 94629->94654 94641 2d8b2c 94631->94641 94642 2d8bcf 94631->94642 94632 26d6e9 55 API calls 94632->94660 94633 2d8810 94707 2beef8 335 API calls 94633->94707 94712 27c1af 48 API calls 94634->94712 94635 26fe30 335 API calls 94635->94648 94636 2acc5c 86 API calls 94636->94660 94637 2d8b7e 94715 2be40a 335 API calls Mailbox 94637->94715 94638 2d8c53 94720 2acc5c 86 API calls 4 library calls 94638->94720 94714 2bf5ee 335 API calls 94641->94714 94717 2acc5c 86 API calls 4 library calls 94642->94717 94643 2d8beb 94718 2bbdbd 335 API calls Mailbox 94643->94718 94645 26fe30 335 API calls 94645->94660 94648->94629 94648->94635 94657 26fce0 94648->94657 94648->94660 94676 26f537 Mailbox 94648->94676 94649 271b90 48 API calls 94649->94660 94651 271b90 48 API calls 94651->94660 94654->94649 94655 2d8c00 94655->94676 94719 2acc5c 86 API calls 4 library calls 94655->94719 94656 2d8823 94656->94620 94659 2d884b 94656->94659 94657->94676 94716 2acc5c 86 API calls 4 library calls 94657->94716 94708 2bccdc 48 API calls 94659->94708 94660->94632 94660->94636 94660->94637 94660->94638 94660->94643 94660->94645 94660->94651 94660->94657 94660->94676 94701 26dd47 48 API calls ___crtGetEnvironmentStringsW 94660->94701 94713 2997ed InterlockedDecrement 94660->94713 94721 27c1af 48 API calls 94660->94721 94661->94614 94661->94620 94661->94660 94661->94665 94665->94617 94665->94625 94665->94660 94666 2d8857 94668 2d8865 94666->94668 94669 2d88aa 94666->94669 94709 2a9b72 48 API calls 94668->94709 94672 2d88a0 Mailbox 94669->94672 94710 2aa69d 48 API calls 94669->94710 94670 26fe30 335 API calls 94670->94676 94672->94670 94674 2d88e7 94711 26bc74 48 API calls 94674->94711 94676->94589 94678 27e253 94677->94678 94679 2ddf42 94677->94679 94678->94589 94680 2ddf77 94679->94680 94681 2ddf59 TranslateAcceleratorW 94679->94681 94681->94678 94683 27dca3 94682->94683 94686 27dc71 94682->94686 94683->94589 94684 27dc96 IsDialogMessageW 94684->94683 94684->94686 94685 2ddd1d GetClassLongW 94685->94684 94685->94686 94686->94683 94686->94684 94686->94685 94687->94589 94688->94533 94689->94536 94690->94541 94691->94589 94692->94589 94693->94584 94694->94584 94695->94584 94696->94584 94697->94584 94698->94584 94699->94609 94700->94611 94701->94660 94702->94619 94703->94661 94704->94660 94705->94676 94706->94633 94707->94656 94708->94666 94709->94672 94710->94674 94711->94672 94712->94660 94713->94660 94714->94660 94715->94657 94716->94676 94717->94676 94718->94655 94719->94676 94720->94676 94721->94660 94722->94602 94723->93054 94724 263742 94725 26374b 94724->94725 94726 2637c8 94725->94726 94727 263769 94725->94727 94765 2637c6 94725->94765 94729 2637ce 94726->94729 94730 2d1e00 94726->94730 94731 263776 94727->94731 94732 26382c PostQuitMessage 94727->94732 94728 2637ab DefWindowProcW 94753 2637b9 94728->94753 94733 2637f6 SetTimer RegisterWindowMessageW 94729->94733 94734 2637d3 94729->94734 94779 262ff6 16 API calls 94730->94779 94736 2d1e88 94731->94736 94737 263781 94731->94737 94732->94753 94741 26381f CreatePopupMenu 94733->94741 94733->94753 94738 2637da KillTimer 94734->94738 94739 2d1da3 94734->94739 94794 2a4ddd 60 API calls _memset 94736->94794 94742 263836 94737->94742 94743 263789 94737->94743 94776 263847 Shell_NotifyIconW _memset 94738->94776 94745 2d1ddc MoveWindow 94739->94745 94746 2d1da8 94739->94746 94740 2d1e27 94780 27e312 335 API calls Mailbox 94740->94780 94741->94753 94769 27eb83 94742->94769 94749 2d1e6d 94743->94749 94750 263794 94743->94750 94745->94753 94754 2d1dac 94746->94754 94755 2d1dcb SetFocus 94746->94755 94749->94728 94793 29a5f3 48 API calls 94749->94793 94757 26379f 94750->94757 94758 2d1e58 94750->94758 94751 2d1e9a 94751->94728 94751->94753 94754->94757 94759 2d1db5 94754->94759 94755->94753 94756 2637ed 94777 26390f DeleteObject DestroyWindow Mailbox 94756->94777 94757->94728 94781 263847 Shell_NotifyIconW _memset 94757->94781 94792 2a55bd 70 API calls _memset 94758->94792 94778 262ff6 16 API calls 94759->94778 94764 2d1e68 94764->94753 94765->94728 94767 2d1e4c 94782 264ffc 94767->94782 94770 27ec1c 94769->94770 94771 27eb9a _memset 94769->94771 94770->94753 94795 2651af 94771->94795 94773 27ec05 KillTimer SetTimer 94773->94770 94774 27ebc1 94774->94773 94775 2d3c7a Shell_NotifyIconW 94774->94775 94775->94773 94776->94756 94777->94753 94778->94753 94779->94740 94780->94757 94781->94767 94783 265027 _memset 94782->94783 94829 264c30 94783->94829 94786 2650ac 94788 2d3d28 Shell_NotifyIconW 94786->94788 94789 2650ca Shell_NotifyIconW 94786->94789 94790 2651af 50 API calls 94789->94790 94791 2650df 94790->94791 94791->94765 94792->94764 94793->94765 94794->94751 94796 2651cb 94795->94796 94816 2652a2 Mailbox 94795->94816 94797 266b0f 48 API calls 94796->94797 94798 2651d9 94797->94798 94799 2651e6 94798->94799 94800 2d3ca1 LoadStringW 94798->94800 94817 266a63 94799->94817 94803 2d3cbb 94800->94803 94802 2651fb 94802->94803 94804 26520c 94802->94804 94805 26510d 48 API calls 94803->94805 94806 265216 94804->94806 94807 2652a7 94804->94807 94810 2d3cc5 94805->94810 94809 26510d 48 API calls 94806->94809 94808 266eed 48 API calls 94807->94808 94812 265220 _memset _wcscpy 94808->94812 94809->94812 94811 26518c 48 API calls 94810->94811 94810->94812 94813 2d3ce7 94811->94813 94814 265288 Shell_NotifyIconW 94812->94814 94815 26518c 48 API calls 94813->94815 94814->94816 94815->94812 94816->94774 94818 266adf 94817->94818 94821 266a6f __wsetenvp 94817->94821 94819 26b18b 48 API calls 94818->94819 94820 266ab6 ___crtGetEnvironmentStringsW 94819->94820 94820->94802 94822 266ad7 94821->94822 94823 266a8b 94821->94823 94828 26c369 48 API calls 94822->94828 94824 266b4a 48 API calls 94823->94824 94826 266a95 94824->94826 94827 27ee75 48 API calls 94826->94827 94827->94820 94828->94820 94830 264c44 94829->94830 94831 2d3c33 94829->94831 94830->94786 94833 2a5819 61 API calls _W_store_winword 94830->94833 94831->94830 94832 2d3c3c DestroyIcon 94831->94832 94832->94830 94833->94786 94834 26ef80 94837 273b70 94834->94837 94836 26ef8c 94838 2742a5 94837->94838 94839 273bc8 94837->94839 94929 2acc5c 86 API calls 4 library calls 94838->94929 94840 273bef 94839->94840 94842 2d6fd1 94839->94842 94844 2d6f7e 94839->94844 94851 2d6f9b 94839->94851 94841 27f4ea 48 API calls 94840->94841 94843 273c18 94841->94843 94917 2bceca 335 API calls Mailbox 94842->94917 94846 27f4ea 48 API calls 94843->94846 94844->94840 94847 2d6f87 94844->94847 94898 273c2c __wsetenvp ___crtGetEnvironmentStringsW 94846->94898 94914 2bd552 335 API calls Mailbox 94847->94914 94848 2d6fbe 94916 2acc5c 86 API calls 4 library calls 94848->94916 94851->94848 94915 2bda0e 335 API calls 2 library calls 94851->94915 94854 2d73b0 94854->94836 94855 2d7297 94925 2acc5c 86 API calls 4 library calls 94855->94925 94856 2d737a 94935 2acc5c 86 API calls 4 library calls 94856->94935 94861 2d707e 94918 2acc5c 86 API calls 4 library calls 94861->94918 94863 26d6e9 55 API calls 94863->94898 94865 27dce0 53 API calls 94865->94898 94867 2740df 94926 2acc5c 86 API calls 4 library calls 94867->94926 94868 26d645 53 API calls 94868->94898 94871 2d72d2 94927 2acc5c 86 API calls 4 library calls 94871->94927 94873 26fe30 335 API calls 94873->94898 94875 2d7350 94933 2acc5c 86 API calls 4 library calls 94875->94933 94876 2d72e9 94928 2acc5c 86 API calls 4 library calls 94876->94928 94877 2d7363 94934 2acc5c 86 API calls 4 library calls 94877->94934 94879 2742f2 94936 2acc5c 86 API calls 4 library calls 94879->94936 94882 266a63 48 API calls 94882->94898 94884 27c050 48 API calls 94884->94898 94885 2d714c 94922 2bccdc 48 API calls 94885->94922 94886 27f4ea 48 API calls 94886->94898 94888 273f2b 94888->94836 94889 2d733f 94932 2acc5c 86 API calls 4 library calls 94889->94932 94891 26d286 48 API calls 94891->94898 94893 2d71a1 94924 27c15c 48 API calls 94893->94924 94894 27ee75 48 API calls 94894->94898 94895 266eed 48 API calls 94895->94898 94898->94838 94898->94855 94898->94856 94898->94861 94898->94863 94898->94865 94898->94867 94898->94868 94898->94871 94898->94873 94898->94875 94898->94876 94898->94877 94898->94879 94898->94882 94898->94884 94898->94885 94898->94886 94898->94888 94898->94889 94898->94891 94898->94894 94898->94895 94900 2d71e1 94898->94900 94909 26d9a0 53 API calls __cinit 94898->94909 94910 26d83d 53 API calls 94898->94910 94911 26cdb9 48 API calls 94898->94911 94912 27c15c 48 API calls 94898->94912 94913 27becb 335 API calls 94898->94913 94919 26dcae 50 API calls Mailbox 94898->94919 94920 2bccdc 48 API calls 94898->94920 94921 2aa1eb 50 API calls 94898->94921 94900->94888 94931 2acc5c 86 API calls 4 library calls 94900->94931 94902 2d715f 94902->94893 94923 2bccdc 48 API calls 94902->94923 94903 2d71ce 94904 27c050 48 API calls 94903->94904 94906 2d71d6 94904->94906 94905 2d71ab 94905->94838 94905->94903 94906->94900 94907 2d7313 94906->94907 94930 2acc5c 86 API calls 4 library calls 94907->94930 94909->94898 94910->94898 94911->94898 94912->94898 94913->94898 94914->94888 94915->94848 94916->94842 94917->94898 94918->94888 94919->94898 94920->94898 94921->94898 94922->94902 94923->94902 94924->94905 94925->94867 94926->94888 94927->94876 94928->94888 94929->94888 94930->94888 94931->94888 94932->94888 94933->94888 94934->94888 94935->94888 94936->94854 94937 2d19cb 94942 262322 94937->94942 94939 2d19d1 94975 280f0a 52 API calls __cinit 94939->94975 94941 2d19db 94943 262344 94942->94943 94976 2626df 94943->94976 94948 26d7f7 48 API calls 94949 262384 94948->94949 94950 26d7f7 48 API calls 94949->94950 94951 26238e 94950->94951 94952 26d7f7 48 API calls 94951->94952 94953 262398 94952->94953 94954 26d7f7 48 API calls 94953->94954 94955 2623de 94954->94955 94956 26d7f7 48 API calls 94955->94956 94957 2624c1 94956->94957 94984 26263f 94957->94984 94961 2624f1 94962 26d7f7 48 API calls 94961->94962 94963 2624fb 94962->94963 95013 262745 94963->95013 94965 262546 94966 262556 GetStdHandle 94965->94966 94967 2d501d 94966->94967 94968 2625b1 94966->94968 94967->94968 94969 2d5026 94967->94969 94970 2625b7 CoInitialize 94968->94970 95020 2a92d4 53 API calls 94969->95020 94970->94939 94972 2d502d 95021 2a99f9 CreateThread 94972->95021 94974 2d5039 CloseHandle 94974->94970 94975->94941 95022 262854 94976->95022 94979 266a63 48 API calls 94980 26234a 94979->94980 94981 26272e 94980->94981 95036 2627ec 6 API calls 94981->95036 94983 26237a 94983->94948 94985 26d7f7 48 API calls 94984->94985 94986 26264f 94985->94986 94987 26d7f7 48 API calls 94986->94987 94988 262657 94987->94988 95037 2626a7 94988->95037 94991 2626a7 48 API calls 94992 262667 94991->94992 94993 26d7f7 48 API calls 94992->94993 94994 262672 94993->94994 94995 27f4ea 48 API calls 94994->94995 94996 2624cb 94995->94996 94997 2622a4 94996->94997 94998 2622b2 94997->94998 94999 26d7f7 48 API calls 94998->94999 95000 2622bd 94999->95000 95001 26d7f7 48 API calls 95000->95001 95002 2622c8 95001->95002 95003 26d7f7 48 API calls 95002->95003 95004 2622d3 95003->95004 95005 26d7f7 48 API calls 95004->95005 95006 2622de 95005->95006 95007 2626a7 48 API calls 95006->95007 95008 2622e9 95007->95008 95009 27f4ea 48 API calls 95008->95009 95010 2622f0 95009->95010 95011 2d1fe7 95010->95011 95012 2622f9 RegisterWindowMessageW 95010->95012 95012->94961 95014 2d5f4d 95013->95014 95015 262755 95013->95015 95042 2ac942 50 API calls 95014->95042 95016 27f4ea 48 API calls 95015->95016 95018 26275d 95016->95018 95018->94965 95019 2d5f58 95020->94972 95021->94974 95043 2a99df 54 API calls 95021->95043 95029 262870 95022->95029 95025 262870 48 API calls 95026 262864 95025->95026 95027 26d7f7 48 API calls 95026->95027 95028 262716 95027->95028 95028->94979 95030 26d7f7 48 API calls 95029->95030 95031 26287b 95030->95031 95032 26d7f7 48 API calls 95031->95032 95033 262883 95032->95033 95034 26d7f7 48 API calls 95033->95034 95035 26285c 95034->95035 95035->95025 95036->94983 95038 26d7f7 48 API calls 95037->95038 95039 2626b0 95038->95039 95040 26d7f7 48 API calls 95039->95040 95041 26265f 95040->95041 95041->94991 95042->95019 95044 2d9c06 95055 27d3be 95044->95055 95046 2d9c1c 95047 2d9c91 Mailbox 95046->95047 95064 261caa 49 API calls 95046->95064 95049 273200 335 API calls 95047->95049 95050 2d9cc5 95049->95050 95053 2da7ab Mailbox 95050->95053 95066 2acc5c 86 API calls 4 library calls 95050->95066 95052 2d9c71 95052->95050 95065 2ab171 48 API calls 95052->95065 95056 27d3dc 95055->95056 95057 27d3ca 95055->95057 95059 27d3e2 95056->95059 95060 27d40b 95056->95060 95067 26dcae 50 API calls Mailbox 95057->95067 95062 27f4ea 48 API calls 95059->95062 95068 26dcae 50 API calls Mailbox 95060->95068 95063 27d3d4 95062->95063 95063->95046 95064->95052 95065->95047 95066->95053 95067->95063 95068->95063 95069 2d19dd 95074 264a30 95069->95074 95071 2d19f1 95094 280f0a 52 API calls __cinit 95071->95094 95073 2d19fb 95075 264a40 __ftell_nolock 95074->95075 95076 26d7f7 48 API calls 95075->95076 95077 264af6 95076->95077 95095 265374 95077->95095 95079 264aff 95102 26363c 95079->95102 95082 26518c 48 API calls 95083 264b18 95082->95083 95108 2664cf 95083->95108 95086 26d7f7 48 API calls 95087 264b32 95086->95087 95114 2649fb 95087->95114 95089 264b43 Mailbox 95089->95071 95090 26ce19 48 API calls 95092 264b3d _wcscat Mailbox __wsetenvp 95090->95092 95091 2664cf 48 API calls 95091->95092 95092->95089 95092->95090 95092->95091 95093 2661a6 48 API calls 95092->95093 95093->95092 95094->95073 95128 28f8a0 95095->95128 95098 26ce19 48 API calls 95099 2653a7 95098->95099 95130 26660f 95099->95130 95101 2653b1 Mailbox 95101->95079 95103 263649 __ftell_nolock 95102->95103 95141 26366c GetFullPathNameW 95103->95141 95105 26365a 95106 266a63 48 API calls 95105->95106 95107 263669 95106->95107 95107->95082 95109 26651b 95108->95109 95113 2664dd ___crtGetEnvironmentStringsW 95108->95113 95111 27f4ea 48 API calls 95109->95111 95110 27f4ea 48 API calls 95112 264b29 95110->95112 95111->95113 95112->95086 95113->95110 95143 26bcce 95114->95143 95117 2d41cc RegQueryValueExW 95119 2d41e5 95117->95119 95120 2d4246 RegCloseKey 95117->95120 95118 264a2b 95118->95092 95121 27f4ea 48 API calls 95119->95121 95122 2d41fe 95121->95122 95123 2647b7 48 API calls 95122->95123 95124 2d4208 RegQueryValueExW 95123->95124 95125 2d4224 95124->95125 95127 2d423b 95124->95127 95126 266a63 48 API calls 95125->95126 95126->95127 95127->95120 95129 265381 GetModuleFileNameW 95128->95129 95129->95098 95131 28f8a0 __ftell_nolock 95130->95131 95132 26661c GetFullPathNameW 95131->95132 95133 266a63 48 API calls 95132->95133 95134 266643 95133->95134 95137 266571 95134->95137 95138 26657f 95137->95138 95139 26b18b 48 API calls 95138->95139 95140 26658f 95139->95140 95140->95101 95142 26368a 95141->95142 95142->95105 95144 264a0a RegOpenKeyExW 95143->95144 95145 26bce8 95143->95145 95144->95117 95144->95118 95146 27f4ea 48 API calls 95145->95146 95147 26bcf2 95146->95147 95148 27ee75 48 API calls 95147->95148 95148->95144 95149 2d8eb8 95153 2aa635 95149->95153 95151 2d8ec3 95152 2aa635 84 API calls 95151->95152 95152->95151 95154 2aa66f 95153->95154 95159 2aa642 95153->95159 95154->95151 95155 2aa671 95165 27ec4e 81 API calls 95155->95165 95157 2aa676 95158 26936c 81 API calls 95157->95158 95160 2aa67d 95158->95160 95159->95154 95159->95155 95159->95157 95162 2aa669 95159->95162 95161 26510d 48 API calls 95160->95161 95161->95154 95164 274525 61 API calls ___crtGetEnvironmentStringsW 95162->95164 95164->95154 95165->95157 95166 285dfd 95167 285e09 _flsall 95166->95167 95203 287eeb GetStartupInfoW 95167->95203 95169 285e0e 95205 289ca7 GetProcessHeap 95169->95205 95171 285e66 95172 285e71 95171->95172 95290 285f4d 47 API calls 3 library calls 95171->95290 95206 287b47 95172->95206 95175 285e77 95176 285e82 __RTC_Initialize 95175->95176 95291 285f4d 47 API calls 3 library calls 95175->95291 95227 28acb3 95176->95227 95179 285e91 95180 285e9d GetCommandLineW 95179->95180 95292 285f4d 47 API calls 3 library calls 95179->95292 95246 292e7d GetEnvironmentStringsW 95180->95246 95183 285e9c 95183->95180 95187 285ec2 95259 292cb4 95187->95259 95190 285ec8 95191 285ed3 95190->95191 95294 28115b 47 API calls 3 library calls 95190->95294 95273 281195 95191->95273 95194 285edb 95195 285ee6 __wwincmdln 95194->95195 95295 28115b 47 API calls 3 library calls 95194->95295 95277 263a0f 95195->95277 95204 287f01 95203->95204 95204->95169 95205->95171 95298 28123a 30 API calls 2 library calls 95206->95298 95208 287b4c 95299 287e23 InitializeCriticalSectionAndSpinCount 95208->95299 95210 287b51 95211 287b55 95210->95211 95301 287e6d TlsAlloc 95210->95301 95300 287bbd 50 API calls 2 library calls 95211->95300 95214 287b5a 95214->95175 95215 287b67 95215->95211 95216 287b72 95215->95216 95302 286986 95216->95302 95219 287bb4 95310 287bbd 50 API calls 2 library calls 95219->95310 95222 287b93 95222->95219 95224 287b99 95222->95224 95223 287bb9 95223->95175 95309 287a94 47 API calls 4 library calls 95224->95309 95226 287ba1 GetCurrentThreadId 95226->95175 95228 28acbf _flsall 95227->95228 95229 287cf4 __lock 47 API calls 95228->95229 95230 28acc6 95229->95230 95231 286986 __calloc_crt 47 API calls 95230->95231 95232 28acd7 95231->95232 95233 28ad42 GetStartupInfoW 95232->95233 95234 28ace2 _flsall @_EH4_CallFilterFunc@8 95232->95234 95240 28ae80 95233->95240 95243 28ad57 95233->95243 95234->95179 95235 28af44 95319 28af58 LeaveCriticalSection _doexit 95235->95319 95237 28aec9 GetStdHandle 95237->95240 95238 286986 __calloc_crt 47 API calls 95238->95243 95239 28aedb GetFileType 95239->95240 95240->95235 95240->95237 95240->95239 95242 28af08 InitializeCriticalSectionAndSpinCount 95240->95242 95241 28ada5 95241->95240 95244 28ade5 InitializeCriticalSectionAndSpinCount 95241->95244 95245 28add7 GetFileType 95241->95245 95242->95240 95243->95238 95243->95240 95243->95241 95244->95241 95245->95241 95245->95244 95247 292e8e 95246->95247 95248 285ead 95246->95248 95320 2869d0 47 API calls _W_store_winword 95247->95320 95253 292a7b GetModuleFileNameW 95248->95253 95251 292eb4 ___crtGetEnvironmentStringsW 95252 292eca FreeEnvironmentStringsW 95251->95252 95252->95248 95254 292aaf _wparse_cmdline 95253->95254 95255 285eb7 95254->95255 95256 292ae9 95254->95256 95255->95187 95293 28115b 47 API calls 3 library calls 95255->95293 95321 2869d0 47 API calls _W_store_winword 95256->95321 95258 292aef _wparse_cmdline 95258->95255 95260 292cc5 95259->95260 95261 292ccd __wsetenvp 95259->95261 95260->95190 95262 286986 __calloc_crt 47 API calls 95261->95262 95269 292cf6 __wsetenvp 95262->95269 95263 292d4d 95264 281c9d _free 47 API calls 95263->95264 95264->95260 95265 286986 __calloc_crt 47 API calls 95265->95269 95266 292d72 95268 281c9d _free 47 API calls 95266->95268 95268->95260 95269->95260 95269->95263 95269->95265 95269->95266 95270 292d89 95269->95270 95322 292567 47 API calls __wcsnicmp_l 95269->95322 95323 286e20 IsProcessorFeaturePresent 95270->95323 95272 292d95 95272->95190 95274 2811a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 95273->95274 95276 2811e0 __IsNonwritableInCurrentImage 95274->95276 95338 280f0a 52 API calls __cinit 95274->95338 95276->95194 95278 2d1ebf 95277->95278 95279 263a29 95277->95279 95280 263a63 IsThemeActive 95279->95280 95339 281405 95280->95339 95284 263a8f 95351 263adb SystemParametersInfoW SystemParametersInfoW 95284->95351 95286 263a9b 95352 263d19 95286->95352 95290->95172 95291->95176 95292->95183 95298->95208 95299->95210 95300->95214 95301->95215 95305 28698d 95302->95305 95304 2869ca 95304->95219 95308 287ec9 TlsSetValue 95304->95308 95305->95304 95306 2869ab Sleep 95305->95306 95311 2930aa 95305->95311 95307 2869c2 95306->95307 95307->95304 95307->95305 95308->95222 95309->95226 95310->95223 95312 2930d0 __calloc_impl 95311->95312 95313 2930b5 95311->95313 95316 2930e0 HeapAlloc 95312->95316 95317 2930c6 95312->95317 95313->95312 95314 2930c1 95313->95314 95318 287c0e 47 API calls __getptd_noexit 95314->95318 95316->95312 95316->95317 95317->95305 95318->95317 95319->95234 95320->95251 95321->95258 95322->95269 95324 286e2b 95323->95324 95329 286cb5 95324->95329 95328 286e46 95328->95272 95330 286ccf _memset __call_reportfault 95329->95330 95331 286cef IsDebuggerPresent 95330->95331 95337 2881ac SetUnhandledExceptionFilter UnhandledExceptionFilter 95331->95337 95333 28a70c __cftof_l 6 API calls 95335 286dd6 95333->95335 95334 286db3 __call_reportfault 95334->95333 95336 288197 GetCurrentProcess TerminateProcess 95335->95336 95336->95328 95337->95334 95338->95276 95340 287cf4 __lock 47 API calls 95339->95340 95341 281410 95340->95341 95404 287e58 LeaveCriticalSection 95341->95404 95343 263a88 95344 28146d 95343->95344 95345 281491 95344->95345 95346 281477 95344->95346 95345->95284 95346->95345 95405 287c0e 47 API calls __getptd_noexit 95346->95405 95348 281481 95406 286e10 8 API calls __wcsnicmp_l 95348->95406 95350 28148c 95350->95284 95351->95286 95353 263d26 __ftell_nolock 95352->95353 95354 26d7f7 48 API calls 95353->95354 95355 263d31 GetCurrentDirectoryW 95354->95355 95407 2661ca 95355->95407 95404->95343 95405->95348 95406->95350 95524 27e99b 95407->95524 95411 2661eb 95412 265374 50 API calls 95411->95412 95413 2661ff 95412->95413 95414 26ce19 48 API calls 95413->95414 95415 26620c 95414->95415 95541 2639db 95415->95541 95417 266216 Mailbox 95418 266eed 48 API calls 95417->95418 95419 26622b 95418->95419 95553 269048 95419->95553 95422 26ce19 48 API calls 95423 266244 95422->95423 95424 26d6e9 55 API calls 95423->95424 95425 266254 Mailbox 95424->95425 95426 26ce19 48 API calls 95425->95426 95427 26627c 95426->95427 95428 26d6e9 55 API calls 95427->95428 95429 26628f Mailbox 95428->95429 95430 26ce19 48 API calls 95429->95430 95431 2662a0 95430->95431 95432 26d645 53 API calls 95431->95432 95433 2662b2 Mailbox 95432->95433 95434 26d7f7 48 API calls 95433->95434 95435 2662c5 95434->95435 95556 2663fc 95435->95556 95525 26d7f7 48 API calls 95524->95525 95526 2661db 95525->95526 95527 266009 95526->95527 95528 266016 __ftell_nolock 95527->95528 95529 266a63 48 API calls 95528->95529 95534 26617c Mailbox 95528->95534 95531 266048 95529->95531 95539 26607e Mailbox 95531->95539 95573 2661a6 95531->95573 95532 26614f 95533 26ce19 48 API calls 95532->95533 95532->95534 95536 266170 95533->95536 95534->95411 95535 26ce19 48 API calls 95535->95539 95537 2664cf 48 API calls 95536->95537 95537->95534 95538 2664cf 48 API calls 95538->95539 95539->95532 95539->95534 95539->95535 95539->95538 95540 2661a6 48 API calls 95539->95540 95540->95539 95542 2641a9 136 API calls 95541->95542 95543 2639fe 95542->95543 95544 263a06 95543->95544 95576 2ac396 95543->95576 95544->95417 95547 2d2ff0 95549 281c9d _free 47 API calls 95547->95549 95548 264252 84 API calls 95548->95547 95550 2d2ffd 95549->95550 95551 264252 84 API calls 95550->95551 95552 2d3006 95551->95552 95552->95552 95554 27f4ea 48 API calls 95553->95554 95555 266237 95554->95555 95555->95422 95557 266406 95556->95557 95558 26641f 95556->95558 95559 266eed 48 API calls 95557->95559 95560 266a63 48 API calls 95558->95560 95561 2662d1 95559->95561 95560->95561 95562 280fa7 95561->95562 95563 281028 95562->95563 95564 280fb3 95562->95564 95613 28103a 59 API calls 3 library calls 95563->95613 95574 26bdfa 48 API calls 95573->95574 95575 2661b1 95574->95575 95575->95531 95577 264517 83 API calls 95576->95577 95578 2ac405 95577->95578 95579 2ac56d 94 API calls 95578->95579 95580 2ac417 95579->95580 95581 2644ed 64 API calls 95580->95581 95609 2ac41b 95580->95609 95582 2ac432 95581->95582 95583 2644ed 64 API calls 95582->95583 95584 2ac442 95583->95584 95585 2644ed 64 API calls 95584->95585 95586 2ac45d 95585->95586 95587 2644ed 64 API calls 95586->95587 95588 2ac478 95587->95588 95589 264517 83 API calls 95588->95589 95590 2ac48f 95589->95590 95591 28395c _W_store_winword 47 API calls 95590->95591 95592 2ac496 95591->95592 95593 28395c _W_store_winword 47 API calls 95592->95593 95594 2ac4a0 95593->95594 95595 2644ed 64 API calls 95594->95595 95596 2ac4b4 95595->95596 95597 2abf5a GetSystemTimeAsFileTime 95596->95597 95598 2ac4c7 95597->95598 95599 2ac4dc 95598->95599 95600 2ac4f1 95598->95600 95601 281c9d _free 47 API calls 95599->95601 95602 2ac556 95600->95602 95603 2ac4f7 95600->95603 95604 2ac4e2 95601->95604 95606 281c9d _free 47 API calls 95602->95606 95605 2ab965 118 API calls 95603->95605 95607 281c9d _free 47 API calls 95604->95607 95608 2ac54e 95605->95608 95606->95609 95607->95609 95610 281c9d _free 47 API calls 95608->95610 95609->95547 95609->95548 95610->95609 95824 26f030 95825 273b70 335 API calls 95824->95825 95826 26f03c 95825->95826 95827 2d197b 95832 27dd94 95827->95832 95831 2d198a 95833 27f4ea 48 API calls 95832->95833 95834 27dd9c 95833->95834 95835 27ddb0 95834->95835 95840 27df3d 95834->95840 95839 280f0a 52 API calls __cinit 95835->95839 95839->95831 95841 27df46 95840->95841 95842 27dda8 95840->95842 95872 280f0a 52 API calls __cinit 95841->95872 95844 27ddc0 95842->95844 95845 26d7f7 48 API calls 95844->95845 95846 27ddd7 GetVersionExW 95845->95846 95847 266a63 48 API calls 95846->95847 95848 27de1a 95847->95848 95873 27dfb4 95848->95873 95851 266571 48 API calls 95857 27de2e 95851->95857 95854 2d24c8 95855 27debb 95859 27dee3 95855->95859 95860 27df31 GetSystemInfo 95855->95860 95856 27dea4 GetCurrentProcess 95886 27df5f LoadLibraryA GetProcAddress 95856->95886 95857->95854 95877 27df77 95857->95877 95880 27e00c 95859->95880 95861 27df0e 95860->95861 95863 27df21 95861->95863 95864 27df1c FreeLibrary 95861->95864 95863->95835 95864->95863 95866 27df29 GetSystemInfo 95869 27df03 95866->95869 95867 27def9 95883 27dff4 95867->95883 95869->95861 95871 27df09 FreeLibrary 95869->95871 95871->95861 95872->95842 95874 27dfbd 95873->95874 95875 26b18b 48 API calls 95874->95875 95876 27de22 95875->95876 95876->95851 95887 27df89 95877->95887 95891 27e01e 95880->95891 95884 27e00c 2 API calls 95883->95884 95885 27df01 GetNativeSystemInfo 95884->95885 95885->95869 95886->95855 95888 27dea0 95887->95888 95889 27df92 LoadLibraryA 95887->95889 95888->95855 95888->95856 95889->95888 95890 27dfa3 GetProcAddress 95889->95890 95890->95888 95892 27def1 95891->95892 95893 27e027 LoadLibraryA 95891->95893 95892->95866 95892->95867 95893->95892 95894 27e038 GetProcAddress 95893->95894 95894->95892 95895 2d19ba 95900 27c75a 95895->95900 95899 2d19c9 95901 26d7f7 48 API calls 95900->95901 95902 27c7c8 95901->95902 95908 27d26c 95902->95908 95904 27c865 95905 27c881 95904->95905 95911 27d1fa 48 API calls ___crtGetEnvironmentStringsW 95904->95911 95907 280f0a 52 API calls __cinit 95905->95907 95907->95899 95912 27d298 95908->95912 95911->95904 95913 27d28b 95912->95913 95914 27d2a5 95912->95914 95913->95904 95914->95913 95915 27d2ac RegOpenKeyExW 95914->95915 95915->95913 95916 27d2c6 RegQueryValueExW 95915->95916 95917 27d2e7 95916->95917 95918 27d2fc RegCloseKey 95916->95918 95917->95918 95918->95913 95919 26b7b1 95928 26c62c 95919->95928 95921 26b7ec 95938 26ba85 48 API calls ___crtGetEnvironmentStringsW 95921->95938 95922 26b7c2 95922->95921 95936 26bc74 48 API calls 95922->95936 95925 26b7e0 95937 26ba85 48 API calls ___crtGetEnvironmentStringsW 95925->95937 95927 26b6b7 Mailbox 95929 26bcce 48 API calls 95928->95929 95932 26c63b 95929->95932 95930 2d39fd 95939 2a26bc 88 API calls 4 library calls 95930->95939 95932->95930 95933 26c68b 95932->95933 95935 26c799 48 API calls 95932->95935 95933->95922 95934 2d3a0b 95935->95932 95936->95925 95937->95921 95938->95927 95939->95934 95940 134fee8 95954 134db28 95940->95954 95942 134ff8c 95957 134fdd8 95942->95957 95956 134e1b3 95954->95956 95960 1350fd8 GetPEB 95954->95960 95956->95942 95958 134fde1 Sleep 95957->95958 95959 134fdef 95958->95959 95960->95956 95961 271799 95962 27f4ea 48 API calls 95961->95962 95963 27173a 95962->95963

                                  Executed Functions

                                  Function 0028B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 856 28b043-28b080 call 28f8a0 859 28b089-28b08b 856->859 860 28b082-28b084 856->860 862 28b0ac-28b0d9 859->862 863 28b08d-28b0a7 call 287bda call 287c0e call 286e10 859->863 861 28b860-28b86c call 28a70c 860->861 864 28b0db-28b0de 862->864 865 28b0e0-28b0e7 862->865 863->861 864->865 868 28b10b-28b110 864->868 869 28b0e9-28b100 call 287bda call 287c0e call 286e10 865->869 870 28b105 865->870 874 28b11f-28b12d call 293bf2 868->874 875 28b112-28b11c call 28f82f 868->875 905 28b851-28b854 869->905 870->868 886 28b44b-28b45d 874->886 887 28b133-28b145 874->887 875->874 890 28b7b8-28b7d5 WriteFile 886->890 891 28b463-28b473 886->891 887->886 889 28b14b-28b183 call 287a0d GetConsoleMode 887->889 889->886 909 28b189-28b18f 889->909 897 28b7e1-28b7e7 GetLastError 890->897 898 28b7d7-28b7df 890->898 894 28b479-28b484 891->894 895 28b55a-28b55f 891->895 903 28b48a-28b49a 894->903 904 28b81b-28b833 894->904 900 28b663-28b66e 895->900 901 28b565-28b56e 895->901 899 28b7e9 897->899 898->899 906 28b7ef-28b7f1 899->906 900->904 913 28b674 900->913 901->904 907 28b574 901->907 910 28b4a0-28b4a3 903->910 911 28b83e-28b84e call 287c0e call 287bda 904->911 912 28b835-28b838 904->912 908 28b85e-28b85f 905->908 916 28b7f3-28b7f5 906->916 917 28b856-28b85c 906->917 918 28b57e-28b595 907->918 908->861 919 28b199-28b1bc GetConsoleCP 909->919 920 28b191-28b193 909->920 921 28b4e9-28b520 WriteFile 910->921 922 28b4a5-28b4be 910->922 911->905 912->911 923 28b83a-28b83c 912->923 914 28b67e-28b693 913->914 924 28b699-28b69b 914->924 916->904 926 28b7f7-28b7fc 916->926 917->908 927 28b59b-28b59e 918->927 928 28b440-28b446 919->928 929 28b1c2-28b1ca 919->929 920->886 920->919 921->897 932 28b526-28b538 921->932 930 28b4cb-28b4e7 922->930 931 28b4c0-28b4ca 922->931 923->908 934 28b6d8-28b719 WideCharToMultiByte 924->934 935 28b69d-28b6b3 924->935 937 28b7fe-28b810 call 287c0e call 287bda 926->937 938 28b812-28b819 call 287bed 926->938 939 28b5de-28b627 WriteFile 927->939 940 28b5a0-28b5b6 927->940 928->916 941 28b1d4-28b1d6 929->941 930->910 930->921 931->930 932->906 933 28b53e-28b54f 932->933 933->903 942 28b555 933->942 934->897 946 28b71f-28b721 934->946 943 28b6b5-28b6c4 935->943 944 28b6c7-28b6d6 935->944 937->905 938->905 939->897 951 28b62d-28b645 939->951 948 28b5b8-28b5ca 940->948 949 28b5cd-28b5dc 940->949 952 28b36b-28b36e 941->952 953 28b1dc-28b1fe 941->953 942->906 943->944 944->924 944->934 956 28b727-28b75a WriteFile 946->956 948->949 949->927 949->939 951->906 959 28b64b-28b658 951->959 954 28b370-28b373 952->954 955 28b375-28b3a2 952->955 960 28b200-28b215 953->960 961 28b217-28b223 call 281688 953->961 954->955 963 28b3a8-28b3ab 954->963 955->963 964 28b77a-28b78e GetLastError 956->964 965 28b75c-28b776 956->965 959->918 967 28b65e 959->967 968 28b271-28b283 call 2940f7 960->968 976 28b269-28b26b 961->976 977 28b225-28b239 961->977 970 28b3ad-28b3b0 963->970 971 28b3b2-28b3c5 call 295884 963->971 975 28b794-28b796 964->975 965->956 972 28b778 965->972 967->906 986 28b289 968->986 987 28b435-28b43b 968->987 970->971 978 28b407-28b40a 970->978 971->897 990 28b3cb-28b3d5 971->990 972->975 975->899 981 28b798-28b7b0 975->981 976->968 983 28b23f-28b254 call 2940f7 977->983 984 28b412-28b42d 977->984 978->941 982 28b410 978->982 981->914 988 28b7b6 981->988 982->987 983->987 996 28b25a-28b267 983->996 984->987 991 28b28f-28b2c4 WideCharToMultiByte 986->991 987->899 988->906 993 28b3fb-28b401 990->993 994 28b3d7-28b3ee call 295884 990->994 991->987 995 28b2ca-28b2f0 WriteFile 991->995 993->978 994->897 1002 28b3f4-28b3f5 994->1002 995->897 998 28b2f6-28b30e 995->998 996->991 998->987 1000 28b314-28b31b 998->1000 1000->993 1001 28b321-28b34c WriteFile 1000->1001 1001->897 1003 28b352-28b359 1001->1003 1002->993 1003->987 1004 28b35f-28b366 1003->1004 1004->993
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3e247cd13e2eac810f21cb2d4aba3a1eececbef040020ce6d0ee857d9e903621
                                  • Instruction ID: 92b31fb8bcbe6fe0af5b685854bdf01884493ddda6ecf3935c9edf533900946d
                                  • Opcode Fuzzy Hash: 3e247cd13e2eac810f21cb2d4aba3a1eececbef040020ce6d0ee857d9e903621
                                  • Instruction Fuzzy Hash: 30327E79B222298FCB259F14DC856E9B7B5FF46310F1840DDE40AA7A91D7309E90CF52
                                  Function 00263D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00263AA3,?), ref: 00263D45
                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,00263AA3,?), ref: 00263D57
                                  • GetFullPathNameW.KERNEL32(00007FFF,?,?,00321148,00321130,?,?,?,?,00263AA3,?), ref: 00263DC8
                                    • Part of subcall function 00266430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00263DEE,00321148,?,?,?,?,?,00263AA3,?), ref: 00266471
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,00263AA3,?), ref: 00263E48
                                  • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,003128F4,00000010), ref: 002D1CCE
                                  • SetCurrentDirectoryW.KERNEL32(?,00321148,?,?,?,?,?,00263AA3,?), ref: 002D1D06
                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,002FDAB4,00321148,?,?,?,?,?,00263AA3,?), ref: 002D1D89
                                  • ShellExecuteW.SHELL32(00000000,?,?,?,?,00263AA3), ref: 002D1D90
                                    • Part of subcall function 00263E6E: GetSysColorBrush.USER32(0000000F), ref: 00263E79
                                    • Part of subcall function 00263E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00263E88
                                    • Part of subcall function 00263E6E: LoadIconW.USER32(00000063), ref: 00263E9E
                                    • Part of subcall function 00263E6E: LoadIconW.USER32(000000A4), ref: 00263EB0
                                    • Part of subcall function 00263E6E: LoadIconW.USER32(000000A2), ref: 00263EC2
                                    • Part of subcall function 00263E6E: RegisterClassExW.USER32(?), ref: 00263F30
                                    • Part of subcall function 002636B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002636E6
                                    • Part of subcall function 002636B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00263707
                                    • Part of subcall function 002636B8: ShowWindow.USER32(00000000,?,?,?,?,00263AA3,?), ref: 0026371B
                                    • Part of subcall function 002636B8: ShowWindow.USER32(00000000,?,?,?,?,00263AA3,?), ref: 00263724
                                    • Part of subcall function 00264FFC: _memset.LIBCMT ref: 00265022
                                    • Part of subcall function 00264FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002650CB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                  • String ID: ()1$This is a third-party compiled AutoIt script.$runas
                                  • API String ID: 438480954-2668241128
                                  • Opcode ID: f06fdf76794590381b2431552172225f5c0384536c051b607212c5237af8793b
                                  • Instruction ID: d43649c60578fdaddd2462b246f78fc5ac2f2c89be46e8adecc0ea976bd42622
                                  • Opcode Fuzzy Hash: f06fdf76794590381b2431552172225f5c0384536c051b607212c5237af8793b
                                  • Instruction Fuzzy Hash: 5C512830A64289BACF12EBF0ED45EEE7B799F19700F004069F54166192DB715AB6CF31
                                  Function 0027DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1234 27ddc0-27de4f call 26d7f7 GetVersionExW call 266a63 call 27dfb4 call 266571 1243 27de55-27de56 1234->1243 1244 2d24c8-2d24cb 1234->1244 1247 27de92-27dea2 call 27df77 1243->1247 1248 27de58-27de63 1243->1248 1245 2d24cd 1244->1245 1246 2d24e4-2d24e8 1244->1246 1250 2d24d0 1245->1250 1251 2d24ea-2d24f3 1246->1251 1252 2d24d3-2d24dc 1246->1252 1263 27dec7-27dee1 1247->1263 1264 27dea4-27dec1 GetCurrentProcess call 27df5f 1247->1264 1253 2d244e-2d2454 1248->1253 1254 27de69-27de6b 1248->1254 1250->1252 1251->1250 1260 2d24f5-2d24f8 1251->1260 1252->1246 1258 2d245e-2d2464 1253->1258 1259 2d2456-2d2459 1253->1259 1255 2d2469-2d2475 1254->1255 1256 27de71-27de74 1254->1256 1265 2d247f-2d2485 1255->1265 1266 2d2477-2d247a 1255->1266 1261 2d2495-2d2498 1256->1261 1262 27de7a-27de89 1256->1262 1258->1247 1259->1247 1260->1252 1261->1247 1267 2d249e-2d24b3 1261->1267 1268 2d248a-2d2490 1262->1268 1269 27de8f 1262->1269 1271 27dee3-27def7 call 27e00c 1263->1271 1272 27df31-27df3b GetSystemInfo 1263->1272 1264->1263 1286 27dec3 1264->1286 1265->1247 1266->1247 1273 2d24bd-2d24c3 1267->1273 1274 2d24b5-2d24b8 1267->1274 1268->1247 1269->1247 1281 27df29-27df2f GetSystemInfo 1271->1281 1282 27def9-27df01 call 27dff4 GetNativeSystemInfo 1271->1282 1276 27df0e-27df1a 1272->1276 1273->1247 1274->1247 1278 27df21-27df26 1276->1278 1279 27df1c-27df1f FreeLibrary 1276->1279 1279->1278 1285 27df03-27df07 1281->1285 1282->1285 1285->1276 1288 27df09-27df0c FreeLibrary 1285->1288 1286->1263 1288->1276
                                  APIs
                                  • GetVersionExW.KERNEL32(?), ref: 0027DDEC
                                  • GetCurrentProcess.KERNEL32(00000000,002FDC38,?,?), ref: 0027DEAC
                                  • GetNativeSystemInfo.KERNELBASE(?,002FDC38,?,?), ref: 0027DF01
                                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 0027DF0C
                                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 0027DF1F
                                  • GetSystemInfo.KERNEL32(?,002FDC38,?,?), ref: 0027DF29
                                  • GetSystemInfo.KERNEL32(?,002FDC38,?,?), ref: 0027DF35
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                  • String ID:
                                  • API String ID: 3851250370-0
                                  • Opcode ID: 3f07f3eb61f3eea589b01abec15e5b8fcc7c573e48667010f9760806af7d9b9e
                                  • Instruction ID: e15ffe570b8fe587e8a88cd487983586a91566fd4b8589686cad0698a17d5a1c
                                  • Opcode Fuzzy Hash: 3f07f3eb61f3eea589b01abec15e5b8fcc7c573e48667010f9760806af7d9b9e
                                  • Instruction Fuzzy Hash: 1261AEB182A2C5CFCF16CF6898C11E97FB4AF39300B1989D9D8499F207C674C959CB66
                                  Function 0026406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1336 26406b-264083 CreateStreamOnHGlobal 1337 264085-26409c FindResourceExW 1336->1337 1338 2640a3-2640a6 1336->1338 1339 2640a2 1337->1339 1340 2d4f16-2d4f25 LoadResource 1337->1340 1339->1338 1340->1339 1341 2d4f2b-2d4f39 SizeofResource 1340->1341 1341->1339 1342 2d4f3f-2d4f4a LockResource 1341->1342 1342->1339 1343 2d4f50-2d4f6e 1342->1343 1343->1339
                                  APIs
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0026449E,?,?,00000000,00000001), ref: 0026407B
                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0026449E,?,?,00000000,00000001), ref: 00264092
                                  • LoadResource.KERNEL32(?,00000000,?,?,0026449E,?,?,00000000,00000001,?,?,?,?,?,?,002641FB), ref: 002D4F1A
                                  • SizeofResource.KERNEL32(?,00000000,?,?,0026449E,?,?,00000000,00000001,?,?,?,?,?,?,002641FB), ref: 002D4F2F
                                  • LockResource.KERNEL32(0026449E,?,?,0026449E,?,?,00000000,00000001,?,?,?,?,?,?,002641FB,00000000), ref: 002D4F42
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                  • String ID: SCRIPT
                                  • API String ID: 3051347437-3967369404
                                  • Opcode ID: bff08abe8a82682361d131bbe27b1533d38665e3cb1b882916487c003cc94022
                                  • Instruction ID: 40781532bb09bc09c61619eb00263bc3949dce2048465c517cd1a2199942ab7d
                                  • Opcode Fuzzy Hash: bff08abe8a82682361d131bbe27b1533d38665e3cb1b882916487c003cc94022
                                  • Instruction Fuzzy Hash: AA118E70250711BFE7259F66EC88F677BB9EBC5B51F20412DF6468A2A1DB71DC80CA20
                                  Function 00273B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Exception@8Throwstd::exception::exception
                                  • String ID: @$ 2$ 2$ 2
                                  • API String ID: 3728558374-1975447171
                                  • Opcode ID: 1fe1c1123832a4920a0646ba356c65e7d16bd72adacb1e2c45cb2fef0178f4b4
                                  • Instruction ID: f93f9b6afbc97a950dc28003d5f584e803542e7d9d30566ab0a5889a7a860c3c
                                  • Opcode Fuzzy Hash: 1fe1c1123832a4920a0646ba356c65e7d16bd72adacb1e2c45cb2fef0178f4b4
                                  • Instruction Fuzzy Hash: 3872BF30E2420ADFCF24EF94C485AAEB7B5EF48300F14C05AE909AB351D775AE65DB91
                                  Function 002A6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNELBASE(?,002D2F49), ref: 002A6CB9
                                  • FindFirstFileW.KERNELBASE(?,?), ref: 002A6CCA
                                  • FindClose.KERNEL32(00000000), ref: 002A6CDA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: FileFind$AttributesCloseFirst
                                  • String ID:
                                  • API String ID: 48322524-0
                                  • Opcode ID: 1d6de2bed9462563f204741aad7c02dad24cd88f48df95e69c59cfc301b2ce69
                                  • Instruction ID: 2cb9c39c7f2fb14f1cd09dfff878005fb893ae7d6e42f675124eb2b1773c58de
                                  • Opcode Fuzzy Hash: 1d6de2bed9462563f204741aad7c02dad24cd88f48df95e69c59cfc301b2ce69
                                  • Instruction Fuzzy Hash: E8E0D8318205119B83206778FC4D4E9376DDE06339F100706F875C51D0EBB0D91045D5
                                  Function 00273200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: BuffCharUpper
                                  • String ID: 2
                                  • API String ID: 3964851224-3110265278
                                  • Opcode ID: ef3190955aad2113497c78c050ce2098c97b742815640edead015045ab9f2763
                                  • Instruction ID: 394c885636e4747fa94afcb20e068e65b013d8d0ec605666f99c1ecd31a1658f
                                  • Opcode Fuzzy Hash: ef3190955aad2113497c78c050ce2098c97b742815640edead015045ab9f2763
                                  • Instruction Fuzzy Hash: 63926970628241DFD724DF18C484B6AB7E1BF88304F14885EF98A8B352D771EDA5DB92
                                  Function 0026E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0026E959
                                  • timeGetTime.WINMM ref: 0026EBFA
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0026ED2E
                                  • TranslateMessage.USER32(?), ref: 0026ED3F
                                  • DispatchMessageW.USER32(?), ref: 0026ED4A
                                  • LockWindowUpdate.USER32(00000000), ref: 0026ED79
                                  • DestroyWindow.USER32 ref: 0026ED85
                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0026ED9F
                                  • Sleep.KERNEL32(0000000A), ref: 002D5270
                                  • TranslateMessage.USER32(?), ref: 002D59F7
                                  • DispatchMessageW.USER32(?), ref: 002D5A05
                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002D5A19
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                  • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                  • API String ID: 2641332412-570651680
                                  • Opcode ID: 5d115630bdfe1cc0840d429e389a8d394ed4ce30cac2a77a8b456d77e678db32
                                  • Instruction ID: ad9cdfead2695420c9644b5052b72ab72a58a6615bf04c58dfe3dc40643ccb74
                                  • Opcode Fuzzy Hash: 5d115630bdfe1cc0840d429e389a8d394ed4ce30cac2a77a8b456d77e678db32
                                  • Instruction Fuzzy Hash: 5D62C470524341DFEB25DF24C885BAA77E4BF44304F14496EF94A8B292DBB1DCA8CB52
                                  Function 00295C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___createFile.LIBCMT ref: 00295EC3
                                  • ___createFile.LIBCMT ref: 00295F04
                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00295F2D
                                  • __dosmaperr.LIBCMT ref: 00295F34
                                  • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00295F47
                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00295F6A
                                  • __dosmaperr.LIBCMT ref: 00295F73
                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00295F7C
                                  • __set_osfhnd.LIBCMT ref: 00295FAC
                                  • __lseeki64_nolock.LIBCMT ref: 00296016
                                  • __close_nolock.LIBCMT ref: 0029603C
                                  • __chsize_nolock.LIBCMT ref: 0029606C
                                  • __lseeki64_nolock.LIBCMT ref: 0029607E
                                  • __lseeki64_nolock.LIBCMT ref: 00296176
                                  • __lseeki64_nolock.LIBCMT ref: 0029618B
                                  • __close_nolock.LIBCMT ref: 002961EB
                                    • Part of subcall function 0028EA9C: CloseHandle.KERNELBASE(00000000,0030EEF4,00000000,?,00296041,0030EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0028EAEC
                                    • Part of subcall function 0028EA9C: GetLastError.KERNEL32(?,00296041,0030EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0028EAF6
                                    • Part of subcall function 0028EA9C: __free_osfhnd.LIBCMT ref: 0028EB03
                                    • Part of subcall function 0028EA9C: __dosmaperr.LIBCMT ref: 0028EB25
                                    • Part of subcall function 00287C0E: __getptd_noexit.LIBCMT ref: 00287C0E
                                  • __lseeki64_nolock.LIBCMT ref: 0029620D
                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00296342
                                  • ___createFile.LIBCMT ref: 00296361
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0029636E
                                  • __dosmaperr.LIBCMT ref: 00296375
                                  • __free_osfhnd.LIBCMT ref: 00296395
                                  • __invoke_watson.LIBCMT ref: 002963C3
                                  • __wsopen_helper.LIBCMT ref: 002963DD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                  • String ID: @
                                  • API String ID: 3896587723-2766056989
                                  • Opcode ID: 930826c75472fe88f457ee76a1c9df5d91d93f8e3e4ef67f65bce7d24caf333f
                                  • Instruction ID: 55e180909b7a848bf9103a346da382ed3923a90f79707c863844ed325c09e28a
                                  • Opcode Fuzzy Hash: 930826c75472fe88f457ee76a1c9df5d91d93f8e3e4ef67f65bce7d24caf333f
                                  • Instruction Fuzzy Hash: A3222671E305179BEF2A9F68DC89BBD7BA1EB01324F244229E9119B2E1C3758D70CB51
                                  Function 002AFA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • _wcscpy.LIBCMT ref: 002AFA96
                                  • _wcschr.LIBCMT ref: 002AFAA4
                                  • _wcscpy.LIBCMT ref: 002AFABB
                                  • _wcscat.LIBCMT ref: 002AFACA
                                  • _wcscat.LIBCMT ref: 002AFAE8
                                  • _wcscpy.LIBCMT ref: 002AFB09
                                  • __wsplitpath.LIBCMT ref: 002AFBE6
                                  • _wcscpy.LIBCMT ref: 002AFC0B
                                  • _wcscpy.LIBCMT ref: 002AFC1D
                                  • _wcscpy.LIBCMT ref: 002AFC32
                                  • _wcscat.LIBCMT ref: 002AFC47
                                  • _wcscat.LIBCMT ref: 002AFC59
                                  • _wcscat.LIBCMT ref: 002AFC6E
                                    • Part of subcall function 002ABFA4: _wcscmp.LIBCMT ref: 002AC03E
                                    • Part of subcall function 002ABFA4: __wsplitpath.LIBCMT ref: 002AC083
                                    • Part of subcall function 002ABFA4: _wcscpy.LIBCMT ref: 002AC096
                                    • Part of subcall function 002ABFA4: _wcscat.LIBCMT ref: 002AC0A9
                                    • Part of subcall function 002ABFA4: __wsplitpath.LIBCMT ref: 002AC0CE
                                    • Part of subcall function 002ABFA4: _wcscat.LIBCMT ref: 002AC0E4
                                    • Part of subcall function 002ABFA4: _wcscat.LIBCMT ref: 002AC0F7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                  • String ID: >>>AUTOIT SCRIPT<<<$t21
                                  • API String ID: 2955681530-3719714515
                                  • Opcode ID: f15fe24a5f889eb387e7077dea49decf3f25b969ff4f16d40a705614e959b2fc
                                  • Instruction ID: d915ee849a10869c58ac85ae77c72c965cedd8bc55dfa7eca98ff63fdbcfb24f
                                  • Opcode Fuzzy Hash: f15fe24a5f889eb387e7077dea49decf3f25b969ff4f16d40a705614e959b2fc
                                  • Instruction Fuzzy Hash: BF91C1725243059FCB10EF50C991E9AB3E8BF49310F004869F94997292DF34EAA8CF92
                                  Function 0028EE0E Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __getptd_noexit
                                  • String ID:
                                  • API String ID: 3074181302-0
                                  • Opcode ID: d290c89c881a261afa79b8cb8199690f570fa026fc95359c2822d6435c68962d
                                  • Instruction ID: 3a19420cb28170873761a5e02addf833717e93e8c6080731f0bb429ff116a05f
                                  • Opcode Fuzzy Hash: d290c89c881a261afa79b8cb8199690f570fa026fc95359c2822d6435c68962d
                                  • Instruction Fuzzy Hash: 20326B78E26282CFDB31EF58D940BAD7BB1AF55314F24406AE8559F2D2C7709C62CB60
                                  Function 00263F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetSysColorBrush.USER32(0000000F), ref: 00263F86
                                  • RegisterClassExW.USER32(00000030), ref: 00263FB0
                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00263FC1
                                  • InitCommonControlsEx.COMCTL32(?), ref: 00263FDE
                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00263FEE
                                  • LoadIconW.USER32(000000A9), ref: 00264004
                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00264013
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                  • API String ID: 2914291525-1005189915
                                  • Opcode ID: 9d144442d96ab2cb4e3713c647c4ba2fd0e56ad1c74a17f00555174616005f5b
                                  • Instruction ID: 94c729f81acedcc3538fe99b0fbffc16ff3034fd617e57e74772f01be995ea21
                                  • Opcode Fuzzy Hash: 9d144442d96ab2cb4e3713c647c4ba2fd0e56ad1c74a17f00555174616005f5b
                                  • Instruction Fuzzy Hash: 89211AB5D40348AFDB11DFA4ED89BCDBBB8FB18700F00421AFA15AA2A0D7B10545CF90
                                  Function 002ABFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1073 2abfa4-2ac054 call 28f8a0 call 27f4ea call 2647b7 call 2abdb4 call 264517 call 2815e3 1086 2ac05a-2ac061 call 2ac56d 1073->1086 1087 2ac107-2ac10e call 2ac56d 1073->1087 1092 2ac110-2ac112 1086->1092 1093 2ac067-2ac105 call 281dfc call 280d23 call 280cf4 call 281dfc call 280cf4 * 2 1086->1093 1087->1092 1094 2ac117 1087->1094 1095 2ac367-2ac368 1092->1095 1097 2ac11a-2ac1d6 call 2644ed * 8 call 2ac71a call 283499 1093->1097 1094->1097 1098 2ac385-2ac393 call 2647e2 1095->1098 1132 2ac1d8-2ac1da 1097->1132 1133 2ac1df-2ac1fa call 2abdf8 1097->1133 1132->1095 1136 2ac28c-2ac298 call 2835e4 1133->1136 1137 2ac200-2ac208 1133->1137 1144 2ac29a-2ac2a9 DeleteFileW 1136->1144 1145 2ac2ae-2ac2b2 1136->1145 1138 2ac20a-2ac20e 1137->1138 1139 2ac210 1137->1139 1141 2ac215-2ac233 call 2644ed 1138->1141 1139->1141 1151 2ac25d-2ac273 call 2ab791 call 282aae 1141->1151 1152 2ac235-2ac23b 1141->1152 1144->1095 1147 2ac2b8-2ac32f call 2ac81d call 2ac845 call 2ab965 1145->1147 1148 2ac342-2ac356 CopyFileW 1145->1148 1149 2ac36a-2ac380 DeleteFileW call 2ac6d9 1147->1149 1169 2ac331-2ac340 DeleteFileW 1147->1169 1148->1149 1150 2ac358-2ac365 DeleteFileW 1148->1150 1149->1098 1150->1095 1164 2ac278-2ac283 1151->1164 1155 2ac23d-2ac250 call 2abf2e 1152->1155 1165 2ac252-2ac25b 1155->1165 1164->1137 1167 2ac289 1164->1167 1165->1151 1167->1136 1169->1095
                                  APIs
                                    • Part of subcall function 002ABDB4: __time64.LIBCMT ref: 002ABDBE
                                    • Part of subcall function 00264517: _fseek.LIBCMT ref: 0026452F
                                  • __wsplitpath.LIBCMT ref: 002AC083
                                    • Part of subcall function 00281DFC: __wsplitpath_helper.LIBCMT ref: 00281E3C
                                  • _wcscpy.LIBCMT ref: 002AC096
                                  • _wcscat.LIBCMT ref: 002AC0A9
                                  • __wsplitpath.LIBCMT ref: 002AC0CE
                                  • _wcscat.LIBCMT ref: 002AC0E4
                                  • _wcscat.LIBCMT ref: 002AC0F7
                                  • _wcscmp.LIBCMT ref: 002AC03E
                                    • Part of subcall function 002AC56D: _wcscmp.LIBCMT ref: 002AC65D
                                    • Part of subcall function 002AC56D: _wcscmp.LIBCMT ref: 002AC670
                                  • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002AC2A1
                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002AC338
                                  • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002AC34E
                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002AC35F
                                  • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002AC371
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                  • String ID:
                                  • API String ID: 2378138488-0
                                  • Opcode ID: 7ddf05311f326ea8938aa82b1fabc2f721c1f67ae47deac72ef55739a1a447d8
                                  • Instruction ID: 15ba51581375afc4dd80504ffa10cb5cde53bfc51d5dfcf1bcc21a679980844c
                                  • Opcode Fuzzy Hash: 7ddf05311f326ea8938aa82b1fabc2f721c1f67ae47deac72ef55739a1a447d8
                                  • Instruction Fuzzy Hash: 5FC11CB1E10219AFDF11EF95CC81EDEB7BDAF49310F1040AAF609E6151DB709A948F61
                                  Function 00263742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1170 263742-263762 1172 263764-263767 1170->1172 1173 2637c2-2637c4 1170->1173 1175 2637c8 1172->1175 1176 263769-263770 1172->1176 1173->1172 1174 2637c6 1173->1174 1177 2637ab-2637b3 DefWindowProcW 1174->1177 1178 2637ce-2637d1 1175->1178 1179 2d1e00-2d1e2e call 262ff6 call 27e312 1175->1179 1180 263776-26377b 1176->1180 1181 26382c-263834 PostQuitMessage 1176->1181 1182 2637b9-2637bf 1177->1182 1183 2637f6-26381d SetTimer RegisterWindowMessageW 1178->1183 1184 2637d3-2637d4 1178->1184 1217 2d1e33-2d1e3a 1179->1217 1186 2d1e88-2d1e9c call 2a4ddd 1180->1186 1187 263781-263783 1180->1187 1188 2637f2-2637f4 1181->1188 1183->1188 1192 26381f-26382a CreatePopupMenu 1183->1192 1189 2637da-2637ed KillTimer call 263847 call 26390f 1184->1189 1190 2d1da3-2d1da6 1184->1190 1186->1188 1212 2d1ea2 1186->1212 1193 263836-263840 call 27eb83 1187->1193 1194 263789-26378e 1187->1194 1188->1182 1189->1188 1196 2d1ddc-2d1dfb MoveWindow 1190->1196 1197 2d1da8-2d1daa 1190->1197 1192->1188 1204 263845 1193->1204 1200 2d1e6d-2d1e74 1194->1200 1201 263794-263799 1194->1201 1196->1188 1205 2d1dac-2d1daf 1197->1205 1206 2d1dcb-2d1dd7 SetFocus 1197->1206 1200->1177 1208 2d1e7a-2d1e83 call 29a5f3 1200->1208 1210 2d1e58-2d1e68 call 2a55bd 1201->1210 1211 26379f-2637a5 1201->1211 1204->1188 1205->1211 1213 2d1db5-2d1dc6 call 262ff6 1205->1213 1206->1188 1208->1177 1210->1188 1211->1177 1211->1217 1212->1177 1213->1188 1217->1177 1218 2d1e40-2d1e53 call 263847 call 264ffc 1217->1218 1218->1177
                                  APIs
                                  • DefWindowProcW.USER32(?,?,?,?), ref: 002637B3
                                  • KillTimer.USER32(?,00000001), ref: 002637DD
                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00263800
                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0026380B
                                  • CreatePopupMenu.USER32 ref: 0026381F
                                  • PostQuitMessage.USER32(00000000), ref: 0026382E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                  • String ID: TaskbarCreated
                                  • API String ID: 129472671-2362178303
                                  • Opcode ID: 63fee7ce2adec19ab58e51f15e7841367485b61dc77cef2a8a0d4a3d6069eaea
                                  • Instruction ID: 858ea86b12fef21ca715435c7a9b8058398f0e7423cf029f88146ad9c26bd3ac
                                  • Opcode Fuzzy Hash: 63fee7ce2adec19ab58e51f15e7841367485b61dc77cef2a8a0d4a3d6069eaea
                                  • Instruction Fuzzy Hash: BD4129F513429AABDB22DF68BD4EF7A7659F754300F000129F902D6191CBA09EF09761
                                  Function 00263E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetSysColorBrush.USER32(0000000F), ref: 00263E79
                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00263E88
                                  • LoadIconW.USER32(00000063), ref: 00263E9E
                                  • LoadIconW.USER32(000000A4), ref: 00263EB0
                                  • LoadIconW.USER32(000000A2), ref: 00263EC2
                                    • Part of subcall function 00264024: LoadImageW.USER32(00260000,00000063,00000001,00000010,00000010,00000000), ref: 00264048
                                  • RegisterClassExW.USER32(?), ref: 00263F30
                                    • Part of subcall function 00263F53: GetSysColorBrush.USER32(0000000F), ref: 00263F86
                                    • Part of subcall function 00263F53: RegisterClassExW.USER32(00000030), ref: 00263FB0
                                    • Part of subcall function 00263F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00263FC1
                                    • Part of subcall function 00263F53: InitCommonControlsEx.COMCTL32(?), ref: 00263FDE
                                    • Part of subcall function 00263F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00263FEE
                                    • Part of subcall function 00263F53: LoadIconW.USER32(000000A9), ref: 00264004
                                    • Part of subcall function 00263F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00264013
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                  • String ID: #$0$AutoIt v3
                                  • API String ID: 423443420-4155596026
                                  • Opcode ID: 3c2f4ec4f23b65365fdd2e28107d1e8bcb470d8bf46d73abebdc98f52644ba73
                                  • Instruction ID: 4a5f20ee07bd1806f96579e8a23f843a91f91f66b9077823b8607b24e676ef64
                                  • Opcode Fuzzy Hash: 3c2f4ec4f23b65365fdd2e28107d1e8bcb470d8bf46d73abebdc98f52644ba73
                                  • Instruction Fuzzy Hash: 4321A1B0D00304AFCB62DFA9ED49A9ABFF9FB18714F00812EE204A72A0D3715651CF95
                                  Function 0134E448 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1289 134e448-134e49a call 134e348 CreateFileW 1292 134e4a3-134e4b0 1289->1292 1293 134e49c-134e49e 1289->1293 1296 134e4b2-134e4be 1292->1296 1297 134e4c3-134e4da VirtualAlloc 1292->1297 1294 134e5fc-134e600 1293->1294 1296->1294 1298 134e4e3-134e509 CreateFileW 1297->1298 1299 134e4dc-134e4de 1297->1299 1300 134e52d-134e547 ReadFile 1298->1300 1301 134e50b-134e528 1298->1301 1299->1294 1303 134e549-134e566 1300->1303 1304 134e56b-134e56f 1300->1304 1301->1294 1303->1294 1306 134e590-134e5a7 WriteFile 1304->1306 1307 134e571-134e58e 1304->1307 1308 134e5d2-134e5f7 CloseHandle VirtualFree 1306->1308 1309 134e5a9-134e5d0 1306->1309 1307->1294 1308->1294 1309->1294
                                  APIs
                                  • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0134E48D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063809334.000000000134D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_134d000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                  • Instruction ID: e18e66ad6bd1a2157006b777da39f01de2d6938a808e7f71dc50537fd7260ca6
                                  • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                  • Instruction Fuzzy Hash: 4251EC75A50209FBEF20DFA4CC49FDE77B8BF48705F108564F609EA180EA74A644CB64
                                  Function 002649FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1319 2649fb-264a25 call 26bcce RegOpenKeyExW 1322 2d41cc-2d41e3 RegQueryValueExW 1319->1322 1323 264a2b-264a2f 1319->1323 1324 2d41e5-2d4222 call 27f4ea call 2647b7 RegQueryValueExW 1322->1324 1325 2d4246-2d424f RegCloseKey 1322->1325 1330 2d423d-2d4245 call 2647e2 1324->1330 1331 2d4224-2d423b call 266a63 1324->1331 1330->1325 1331->1330
                                  APIs
                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00264A1D
                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 002D41DB
                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002D421A
                                  • RegCloseKey.ADVAPI32(?), ref: 002D4249
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: QueryValue$CloseOpen
                                  • String ID: Include$Software\AutoIt v3\AutoIt
                                  • API String ID: 1586453840-614718249
                                  • Opcode ID: af31f07877dd86043c7015d888b9f882316742a730eb2b39cc53fca717560900
                                  • Instruction ID: 7cd16131e1cb4eb092440457d89064769d7350ee03c6911f80eae269607d6898
                                  • Opcode Fuzzy Hash: af31f07877dd86043c7015d888b9f882316742a730eb2b39cc53fca717560900
                                  • Instruction Fuzzy Hash: 90116D71660109BFEB00EBA4DD8AEBFBBACEF05344F100069B60AD6191EA709E51DB50
                                  Function 002636B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1346 2636b8-263728 CreateWindowExW * 2 ShowWindow * 2
                                  APIs
                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002636E6
                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00263707
                                  • ShowWindow.USER32(00000000,?,?,?,?,00263AA3,?), ref: 0026371B
                                  • ShowWindow.USER32(00000000,?,?,?,?,00263AA3,?), ref: 00263724
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$CreateShow
                                  • String ID: AutoIt v3$edit
                                  • API String ID: 1584632944-3779509399
                                  • Opcode ID: 4a76e6994a1cf3159a46a7e3d8f6c45cde4f5824b7d594d9f3c471a0aa925c36
                                  • Instruction ID: 36261c0a3ce3f02e0d96435b554901d21b99ad46397b94ecc0e95f9307ccedb6
                                  • Opcode Fuzzy Hash: 4a76e6994a1cf3159a46a7e3d8f6c45cde4f5824b7d594d9f3c471a0aa925c36
                                  • Instruction Fuzzy Hash: E8F05E705402D47AE7325757AD4CE777E7ED7D7F60F00802FBA04A61B0C1610892CAB4
                                  Function 00264A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00265374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00321148,?,002661FF,?,00000000,00000001,00000000), ref: 00265392
                                    • Part of subcall function 002649FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00264A1D
                                  • _wcscat.LIBCMT ref: 002D2D80
                                  • _wcscat.LIBCMT ref: 002D2DB5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: _wcscat$FileModuleNameOpen
                                  • String ID: 8!2$\$\Include\
                                  • API String ID: 3592542968-241281406
                                  • Opcode ID: ac436213da271f1f3664e6e47d687af5016ef94d7a13abbf706890fe3d1af4e8
                                  • Instruction ID: bc7208fc498b9326b2da9ad7fb3f4a54a6d16e58e68335dd9c5d4b41e1c88e01
                                  • Opcode Fuzzy Hash: ac436213da271f1f3664e6e47d687af5016ef94d7a13abbf706890fe3d1af4e8
                                  • Instruction Fuzzy Hash: 95515075424340AFC325EF55DD81CABB7F9BE59300F80452EF68893260DB70AA69CF52
                                  Function 002651AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1504 2651af-2651c5 1505 2652a2-2652a6 1504->1505 1506 2651cb-2651e0 call 266b0f 1504->1506 1509 2651e6-265206 call 266a63 1506->1509 1510 2d3ca1-2d3cb0 LoadStringW 1506->1510 1513 2d3cbb-2d3cd3 call 26510d call 264db1 1509->1513 1514 26520c-265210 1509->1514 1510->1513 1522 265220-26529d call 280d50 call 2650e6 call 280d23 Shell_NotifyIconW call 26cb37 1513->1522 1526 2d3cd9-2d3cf7 call 26518c call 264db1 call 26518c 1513->1526 1517 265216-26521b call 26510d 1514->1517 1518 2652a7-2652b0 call 266eed 1514->1518 1517->1522 1518->1522 1522->1505 1526->1522
                                  APIs
                                  • _memset.LIBCMT ref: 0026522F
                                  • _wcscpy.LIBCMT ref: 00265283
                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00265293
                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002D3CB0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                  • String ID: Line:
                                  • API String ID: 1053898822-1585850449
                                  • Opcode ID: 3c7413212cf6de6103998267ea4c334c67d7f84e79c74e92f1c01c0cbcbb7ae1
                                  • Instruction ID: f5e790d51541f48afaef93bdf30901a89abee87447ad109aa712ce901e641b84
                                  • Opcode Fuzzy Hash: 3c7413212cf6de6103998267ea4c334c67d7f84e79c74e92f1c01c0cbcbb7ae1
                                  • Instruction Fuzzy Hash: 8631BE71428351AED331EB60EC86FDE77D8AF54300F00451EF58992191EBB0A6A9CF96
                                  Function 00264139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002641A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,002639FE,?,00000001), ref: 002641DB
                                  • _free.LIBCMT ref: 002D36B7
                                  • _free.LIBCMT ref: 002D36FE
                                    • Part of subcall function 0026C833: __wsplitpath.LIBCMT ref: 0026C93E
                                    • Part of subcall function 0026C833: _wcscpy.LIBCMT ref: 0026C953
                                    • Part of subcall function 0026C833: _wcscat.LIBCMT ref: 0026C968
                                    • Part of subcall function 0026C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0026C978
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                  • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                  • API String ID: 805182592-1757145024
                                  • Opcode ID: 446324580014941bee169b7260f01810456d31bad59e0bc82a925c6d614098de
                                  • Instruction ID: 8327f46fcda2efa813163b0fe01ec37b9340d3387f9a7f47dc92529b379ee5ab
                                  • Opcode Fuzzy Hash: 446324580014941bee169b7260f01810456d31bad59e0bc82a925c6d614098de
                                  • Instruction Fuzzy Hash: 98916D71920219AFCF04EFA4CC919EEB7B4BF19310F50442AF856AB291DB709E65CF91
                                  Function 0134FEE8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0134FDD8: Sleep.KERNELBASE(000001F4), ref: 0134FDE9
                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0134FFF8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063809334.000000000134D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_134d000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CreateFileSleep
                                  • String ID: I5TX9V4UI7VE22
                                  • API String ID: 2694422964-3120586071
                                  • Opcode ID: af2111ce45483f25bea687bf4d5db352e605d0c81a5e1ba415d08cef03c75d2e
                                  • Instruction ID: 159c9231e66a6de146a0b3d052f503f80b38d5758cad13248cbd8a0fec24cf3b
                                  • Opcode Fuzzy Hash: af2111ce45483f25bea687bf4d5db352e605d0c81a5e1ba415d08cef03c75d2e
                                  • Instruction Fuzzy Hash: 3B519131D04249DBEF15DBA8C814BEFBBB9AF14704F004199E618BB2C0DB791B49CBA5
                                  Function 002640E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 002D3725
                                  • GetOpenFileNameW.COMDLG32 ref: 002D376F
                                    • Part of subcall function 0026660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002653B1,?,?,002661FF,?,00000000,00000001,00000000), ref: 0026662F
                                    • Part of subcall function 002640A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002640C6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Name$Path$FileFullLongOpen_memset
                                  • String ID: X$t31
                                  • API String ID: 3777226403-391966456
                                  • Opcode ID: f89bd5534988dab63bfd2717ea10941983f4ceb25f9efa8b00bdbf638bd01225
                                  • Instruction ID: 9934fa7cf334be380102ba558c0cd4bbd6877a6b28bef71ca14b19fd0a5d452e
                                  • Opcode Fuzzy Hash: f89bd5534988dab63bfd2717ea10941983f4ceb25f9efa8b00bdbf638bd01225
                                  • Instruction Fuzzy Hash: 2A21D571A202989BDF02EFD4D8457EEBBF89F49304F00405AE444A7241DBB45AD98F65
                                  Function 002834AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • __getstream.LIBCMT ref: 002834FE
                                    • Part of subcall function 00287C0E: __getptd_noexit.LIBCMT ref: 00287C0E
                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 00283539
                                  • __wopenfile.LIBCMT ref: 00283549
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                  • String ID: <G
                                  • API String ID: 1820251861-2138716496
                                  • Opcode ID: 0f3536fbf41ea9b2ae80d09584d501f5cfa8f04b7bc8626ac83db4206e3425e5
                                  • Instruction ID: 0880d436de6591f0d5c7f8da1fbae79703110807fd6f3ccf2481ac0426c17fd8
                                  • Opcode Fuzzy Hash: 0f3536fbf41ea9b2ae80d09584d501f5cfa8f04b7bc8626ac83db4206e3425e5
                                  • Instruction Fuzzy Hash: 2E110A78A232069BDB22FF708C4266E36A4AF09B50B158425E415D71D1EB74CA319BB1
                                  Function 0027D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0027D28B,SwapMouseButtons,00000004,?), ref: 0027D2BC
                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0027D28B,SwapMouseButtons,00000004,?,?,?,?,0027C865), ref: 0027D2DD
                                  • RegCloseKey.KERNELBASE(00000000,?,?,0027D28B,SwapMouseButtons,00000004,?,?,?,?,0027C865), ref: 0027D2FF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID: Control Panel\Mouse
                                  • API String ID: 3677997916-824357125
                                  • Opcode ID: 473984408bbae5aac8b0f20c5760aafb454efaec24298da72f12487d2177136d
                                  • Instruction ID: 790d5df70c8ad524d8f7833d3a34b940987528a3e4c7c4b67358a4a1ac0910c5
                                  • Opcode Fuzzy Hash: 473984408bbae5aac8b0f20c5760aafb454efaec24298da72f12487d2177136d
                                  • Instruction Fuzzy Hash: 27113975A21209BFDB208FA8DC84EAF7BBCEF45754F108869E809D7110E771AE519B60
                                  Function 0028365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                  • String ID:
                                  • API String ID: 3877424927-0
                                  • Opcode ID: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
                                  • Instruction ID: 8c43f190647d89f65a33b33ec6d803f0bd770ec1c3626682632b43f8eb29c972
                                  • Opcode Fuzzy Hash: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
                                  • Instruction Fuzzy Hash: B551ABB8A22216ABDB24FF69C88455EB7A5AF40B20F244729F825962D0D774DF708F44
                                  Function 002AC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00264517: _fseek.LIBCMT ref: 0026452F
                                    • Part of subcall function 002AC56D: _wcscmp.LIBCMT ref: 002AC65D
                                    • Part of subcall function 002AC56D: _wcscmp.LIBCMT ref: 002AC670
                                  • _free.LIBCMT ref: 002AC4DD
                                  • _free.LIBCMT ref: 002AC4E4
                                  • _free.LIBCMT ref: 002AC54F
                                    • Part of subcall function 00281C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00287A85), ref: 00281CB1
                                    • Part of subcall function 00281C9D: GetLastError.KERNEL32(00000000,?,00287A85), ref: 00281CC3
                                  • _free.LIBCMT ref: 002AC557
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                  • String ID:
                                  • API String ID: 1552873950-0
                                  • Opcode ID: acbc9bddfc27afc87d88584c9959c104a0ea567534d53ec5d359cc2505f852cb
                                  • Instruction ID: 50b812379d320928bc1c6bf9ccd887fd1f3931110e90ecafd0024d3319e25fbc
                                  • Opcode Fuzzy Hash: acbc9bddfc27afc87d88584c9959c104a0ea567534d53ec5d359cc2505f852cb
                                  • Instruction Fuzzy Hash: A75142B5D14219AFDF14AF64DC81BAEB7B9EF48300F10009EF259A7281DB715AA0CF59
                                  Function 0027EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 0027EBB2
                                    • Part of subcall function 002651AF: _memset.LIBCMT ref: 0026522F
                                    • Part of subcall function 002651AF: _wcscpy.LIBCMT ref: 00265283
                                    • Part of subcall function 002651AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00265293
                                  • KillTimer.USER32(?,00000001,?,?), ref: 0027EC07
                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0027EC16
                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002D3C88
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                  • String ID:
                                  • API String ID: 1378193009-0
                                  • Opcode ID: 8e5bc36f3b61cbdf7e3abcd9fedf3d67a740efbaffc543df4b4117c9ead795ba
                                  • Instruction ID: 217edf3ad3caba86f811ab59712160e7fc95a12fd99e1336464093d846863b56
                                  • Opcode Fuzzy Hash: 8e5bc36f3b61cbdf7e3abcd9fedf3d67a740efbaffc543df4b4117c9ead795ba
                                  • Instruction Fuzzy Hash: 3C210A745247849FEB33DB24DC59BE7BBEC9B15304F04008FE28E56281C3B02E848B52
                                  Function 0134EB28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 0134EB6D
                                  • ExitProcess.KERNEL32(00000000), ref: 0134EB8C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063809334.000000000134D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_134d000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Process$CreateExit
                                  • String ID: D
                                  • API String ID: 126409537-2746444292
                                  • Opcode ID: 9ec10d9bb68332e7bcdb3756cd9d8bc900757a5150bae08cbb91c2426b35d2e1
                                  • Instruction ID: 97e3cf746f5bdfd251a4dff21dd0dc4f2e5ced40c6a0dba594ae7a389b2d5b9c
                                  • Opcode Fuzzy Hash: 9ec10d9bb68332e7bcdb3756cd9d8bc900757a5150bae08cbb91c2426b35d2e1
                                  • Instruction Fuzzy Hash: 1DF0FF7154424CABDB60EFE4CC49FEE777CBF04705F408518FB0AAB184DA7996088B61
                                  Function 002AC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTempPathW.KERNEL32(00000104,?), ref: 002AC72F
                                  • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 002AC746
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Temp$FileNamePath
                                  • String ID: aut
                                  • API String ID: 3285503233-3010740371
                                  • Opcode ID: c9d9e92acec36217e1b68d20faaeebdb0ad53aa2e67bc3b0c337eec8202bd609
                                  • Instruction ID: c299aa9bbc4e89f4c05a002255d6cbd37599fcc9edc84698cf8315c9c2c9b26e
                                  • Opcode Fuzzy Hash: c9d9e92acec36217e1b68d20faaeebdb0ad53aa2e67bc3b0c337eec8202bd609
                                  • Instruction Fuzzy Hash: CFD05E7154030EABDB10AB90EC4EFCA776C9704704F0001A0BB50A90B2DBB0E6998B54
                                  Function 002BF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 33b59ab4018b14e43f7acc3dd8345b3f2701f0e074e2c1a404a91478ce9384d1
                                  • Instruction ID: 64f4846f78d1f3a56a5ed69f22c80d0faf0891052419b0824a0f05e323f6f00f
                                  • Opcode Fuzzy Hash: 33b59ab4018b14e43f7acc3dd8345b3f2701f0e074e2c1a404a91478ce9384d1
                                  • Instruction Fuzzy Hash: 72F169716143019FCB10DF28C981B9AB7E5FF88314F10892EF9999B292DB70E955CF82
                                  Function 00264FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 00265022
                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 002650CB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: IconNotifyShell__memset
                                  • String ID:
                                  • API String ID: 928536360-0
                                  • Opcode ID: abdcaea3b5e53fd79f21c76107688d77609b81a57e5fc21a0492b3964850dcde
                                  • Instruction ID: fb40e03025ef3d942aa545873e4fdf5a850633ac6f62fadaba74a3a64e8368d4
                                  • Opcode Fuzzy Hash: abdcaea3b5e53fd79f21c76107688d77609b81a57e5fc21a0492b3964850dcde
                                  • Instruction Fuzzy Hash: 27319EB0514712CFC731EF24D98569BBBE8FF59308F00092EF59A87241E771A998CB92
                                  Function 0028395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __FF_MSGBANNER.LIBCMT ref: 00283973
                                    • Part of subcall function 002881C2: __NMSG_WRITE.LIBCMT ref: 002881E9
                                    • Part of subcall function 002881C2: __NMSG_WRITE.LIBCMT ref: 002881F3
                                  • __NMSG_WRITE.LIBCMT ref: 0028397A
                                    • Part of subcall function 0028821F: GetModuleFileNameW.KERNEL32(00000000,00320312,00000104,00000000,00000001,00000000), ref: 002882B1
                                    • Part of subcall function 0028821F: ___crtMessageBoxW.LIBCMT ref: 0028835F
                                    • Part of subcall function 00281145: ___crtCorExitProcess.LIBCMT ref: 0028114B
                                    • Part of subcall function 00281145: ExitProcess.KERNEL32 ref: 00281154
                                    • Part of subcall function 00287C0E: __getptd_noexit.LIBCMT ref: 00287C0E
                                  • RtlAllocateHeap.NTDLL(01130000,00000000,00000001,00000001,00000000,?,?,0027F507,?,0000000E), ref: 0028399F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                  • String ID:
                                  • API String ID: 1372826849-0
                                  • Opcode ID: 1f996a95c093f129aade7906c64a4316d3b009ad2a5d159b45825b64260a15e0
                                  • Instruction ID: 46cada5fe1fb43502844f8036ef45ed616ef69749394feb0af01e44e0828af59
                                  • Opcode Fuzzy Hash: 1f996a95c093f129aade7906c64a4316d3b009ad2a5d159b45825b64260a15e0
                                  • Instruction Fuzzy Hash: 0801963D2772129AE6267F34EC46A2A234C9B81B60F21002AF9059B1D2DFF0DD614B60
                                  Function 002AC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,002AC385,?,?,?,?,?,00000004), ref: 002AC6F2
                                  • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,002AC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 002AC708
                                  • CloseHandle.KERNEL32(00000000,?,002AC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002AC70F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: File$CloseCreateHandleTime
                                  • String ID:
                                  • API String ID: 3397143404-0
                                  • Opcode ID: 53f5eb978bb7c1a91f4db2439f37d878ab785f175a57a1a44f3f68f0d6fd4cd6
                                  • Instruction ID: 9cf2cfca3044ce5acd5a6f57e3bae7f71a4f31bebded0044301b629aa68df5dd
                                  • Opcode Fuzzy Hash: 53f5eb978bb7c1a91f4db2439f37d878ab785f175a57a1a44f3f68f0d6fd4cd6
                                  • Instruction Fuzzy Hash: 65E08632180214BBDB211F54BC4DFCA7B18AB05760F104110FB146D0E097B225219B98
                                  Function 002ABB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 002ABB72
                                    • Part of subcall function 00281C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00287A85), ref: 00281CB1
                                    • Part of subcall function 00281C9D: GetLastError.KERNEL32(00000000,?,00287A85), ref: 00281CC3
                                  • _free.LIBCMT ref: 002ABB83
                                  • _free.LIBCMT ref: 002ABB95
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
                                  • Instruction ID: 231febad5d62a377b3879c684acdc42745879a98148c83b4f651e782e8c81dc2
                                  • Opcode Fuzzy Hash: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
                                  • Instruction Fuzzy Hash: 44E012A566274287DA2479796E44FB313CC4F053567140C1EB859E71CBCF24E871CAB4
                                  Function 00262322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002622A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,002624F1), ref: 00262303
                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002625A1
                                  • CoInitialize.OLE32(00000000), ref: 00262618
                                  • CloseHandle.KERNEL32(00000000), ref: 002D503A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Handle$CloseInitializeMessageRegisterWindow
                                  • String ID:
                                  • API String ID: 3815369404-0
                                  • Opcode ID: 53e0eaa96b4fbf8bd62fa27d92d49c21fd3476ed5ade98305a89812dd57fd29f
                                  • Instruction ID: 53f53f2959034c411749c0eaa9696b4a04489faaea9b8fd4e9c01dc040d328a2
                                  • Opcode Fuzzy Hash: 53e0eaa96b4fbf8bd62fa27d92d49c21fd3476ed5ade98305a89812dd57fd29f
                                  • Instruction Fuzzy Hash: 1E71CEB8911389CBC327EF6AAB90495BBADFB79340B90496EE109C7371CB304466CF55
                                  Function 002ABBE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID: EA06
                                  • API String ID: 2638373210-3962188686
                                  • Opcode ID: 86484bbb8296fecec2a5920bd23014f48f081ff36a345a608ba594f06c2bfab2
                                  • Instruction ID: 0981a4a656b1e67f95b9ed33010b435c0692fd775a8641db31effbdb42e33a9c
                                  • Opcode Fuzzy Hash: 86484bbb8296fecec2a5920bd23014f48f081ff36a345a608ba594f06c2bfab2
                                  • Instruction Fuzzy Hash: 1801F5729142187FDB29D7A8C816FEEBBF89B05711F00459BF192D6181E9B4A718CB60
                                  Function 00263A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsThemeActive.UXTHEME ref: 00263A73
                                    • Part of subcall function 00281405: __lock.LIBCMT ref: 0028140B
                                    • Part of subcall function 00263ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00263AF3
                                    • Part of subcall function 00263ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00263B08
                                    • Part of subcall function 00263D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00263AA3,?), ref: 00263D45
                                    • Part of subcall function 00263D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00263AA3,?), ref: 00263D57
                                    • Part of subcall function 00263D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00321148,00321130,?,?,?,?,00263AA3,?), ref: 00263DC8
                                    • Part of subcall function 00263D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00263AA3,?), ref: 00263E48
                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00263AB3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                  • String ID:
                                  • API String ID: 924797094-0
                                  • Opcode ID: 2ea77519fe197aca5f2d21bcbcc5df96571fe5fbdeede8875d60e3ddf3e0f725
                                  • Instruction ID: 3b73fb0471f8a5f1a939971ff1281a663c0e4981074708793782b101ff2f81a3
                                  • Opcode Fuzzy Hash: 2ea77519fe197aca5f2d21bcbcc5df96571fe5fbdeede8875d60e3ddf3e0f725
                                  • Instruction Fuzzy Hash: F81190719143419BC311EF65ED4590BFBE8EBA4710F00891FF489872A1DB709AA6CF92
                                  Function 0028E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___lock_fhandle.LIBCMT ref: 0028EA29
                                  • __close_nolock.LIBCMT ref: 0028EA42
                                    • Part of subcall function 00287BDA: __getptd_noexit.LIBCMT ref: 00287BDA
                                    • Part of subcall function 00287C0E: __getptd_noexit.LIBCMT ref: 00287C0E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                  • String ID:
                                  • API String ID: 1046115767-0
                                  • Opcode ID: 0024717eb790dc09b28372850056541228a8ba06fc826f2d02ffe6f0223daf9f
                                  • Instruction ID: 97549520af3ff48276d6c8184dc236a9e6de41e1dc61c0353d4d834c58ff7418
                                  • Opcode Fuzzy Hash: 0024717eb790dc09b28372850056541228a8ba06fc826f2d02ffe6f0223daf9f
                                  • Instruction Fuzzy Hash: FA11C27A8376109EDB1ABF68C8423583A616F81736F274340E4701F1F3CBB488618FA1
                                  Function 0027F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0028395C: __FF_MSGBANNER.LIBCMT ref: 00283973
                                    • Part of subcall function 0028395C: __NMSG_WRITE.LIBCMT ref: 0028397A
                                    • Part of subcall function 0028395C: RtlAllocateHeap.NTDLL(01130000,00000000,00000001,00000001,00000000,?,?,0027F507,?,0000000E), ref: 0028399F
                                  • std::exception::exception.LIBCMT ref: 0027F51E
                                  • __CxxThrowException@8.LIBCMT ref: 0027F533
                                    • Part of subcall function 00286805: RaiseException.KERNEL32(?,?,0000000E,00316A30,?,?,?,0027F538,0000000E,00316A30,?,00000001), ref: 00286856
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                  • String ID:
                                  • API String ID: 3902256705-0
                                  • Opcode ID: 637497b908b5182cc5428631e4319be6750431b770729d5a552e8e8301602270
                                  • Instruction ID: c06c2d0230fb5619acfa1e394a39795f8396ff760e900a2515d2f1818db1a431
                                  • Opcode Fuzzy Hash: 637497b908b5182cc5428631e4319be6750431b770729d5a552e8e8301602270
                                  • Instruction Fuzzy Hash: E7F0F43506821E67CB04BF98DD019DE77EC9F00314FA48035FA08921C1DBB097608BA5
                                  Function 00283839 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __lock_file_memset
                                  • String ID:
                                  • API String ID: 26237723-0
                                  • Opcode ID: 42a9067a8c5ef1d2a98dcd6e982f78a6fdc54d0bdbf54fe77688a655175cff38
                                  • Instruction ID: 648ba4e3bc0b5618f5713846a2a8eb84ced3112310a3235f66fcce01ae998a0b
                                  • Opcode Fuzzy Hash: 42a9067a8c5ef1d2a98dcd6e982f78a6fdc54d0bdbf54fe77688a655175cff38
                                  • Instruction Fuzzy Hash: 87012179812209ABCF26FFA58C0699E7B61BF40720F158129F824561E1D7718B71DF91
                                  Function 002835E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00287C0E: __getptd_noexit.LIBCMT ref: 00287C0E
                                  • __lock_file.LIBCMT ref: 00283629
                                    • Part of subcall function 00284E1C: __lock.LIBCMT ref: 00284E3F
                                  • __fclose_nolock.LIBCMT ref: 00283634
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                  • String ID:
                                  • API String ID: 2800547568-0
                                  • Opcode ID: fb541fbfbb47d58a29d4efb89b5791f176aba75d18d2de11bfff68eb0090745e
                                  • Instruction ID: 2964d1b30f0381c853381240e000d08d1bc413e82b3f73ad9738caffcfec7e86
                                  • Opcode Fuzzy Hash: fb541fbfbb47d58a29d4efb89b5791f176aba75d18d2de11bfff68eb0090745e
                                  • Instruction Fuzzy Hash: 67F0BB39C23215AAD711FF69C80675E76A46F40B34F258109E410AB2D1D77C86219F59
                                  Function 0134EB98 Relevance: 1.7, APIs: 1, Instructions: 161COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0134E408: GetFileAttributesW.KERNELBASE(?), ref: 0134E413
                                  • CreateDirectoryW.KERNELBASE(?,00000000), ref: 0134ECD9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063809334.000000000134D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_134d000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AttributesCreateDirectoryFile
                                  • String ID:
                                  • API String ID: 3401506121-0
                                  • Opcode ID: 29a5109add35a2f2699283169148ef09cb1c0c8227eb40f6bea26eea690f2975
                                  • Instruction ID: d625f18132e92fbbb6266e390937607c4d13193f4731ab398ee917adc727c385
                                  • Opcode Fuzzy Hash: 29a5109add35a2f2699283169148ef09cb1c0c8227eb40f6bea26eea690f2975
                                  • Instruction Fuzzy Hash: 81515131A1021997EF14EFB4C854BEE7379FF58700F004568B609EB290EB79AB45CBA5
                                  Function 00282957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  • __flush.LIBCMT ref: 00282A0B
                                    • Part of subcall function 00287C0E: __getptd_noexit.LIBCMT ref: 00287C0E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __flush__getptd_noexit
                                  • String ID:
                                  • API String ID: 4101623367-0
                                  • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                  • Instruction ID: 808361a8d9a1264a00c38d2a8aed5a84d5ad2b401abacd632b9c1587d3951748
                                  • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                  • Instruction Fuzzy Hash: FC41C678722707DFDF2CAEA9C88056E77A6AF44360F24852DE855C72C0EB70DD688B40
                                  Function 0027ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ProtectVirtual
                                  • String ID:
                                  • API String ID: 544645111-0
                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                  • Instruction ID: 1b12b6f28739694ab808218ad7120e1b3a9fb0986982fde2c0e686a6fa9c78fb
                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                  • Instruction Fuzzy Hash: 4731D670A101069FCB28DF58C490969FBAAFB49340B65C6E5E40DCB265DB30EDE1CBA0
                                  Function 002C040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: ee80f99bdcf60b2386f2511c489d7182f6696f8ced84a9641d069f653a65a269
                                  • Instruction ID: eddb73972b83c301afb3b93128ddb229d8e6d7eac9e910b4cd8eaa4acb681567
                                  • Opcode Fuzzy Hash: ee80f99bdcf60b2386f2511c489d7182f6696f8ced84a9641d069f653a65a269
                                  • Instruction Fuzzy Hash: 9131C275124524CFCB11AF10D4D0B6E77B0FF49720F20854EEA991B386DBB0A965DF82
                                  Function 002D9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ClearVariant
                                  • String ID:
                                  • API String ID: 1473721057-0
                                  • Opcode ID: 82d959b2470b1029585db4a0b396cae72950ebda1016c9e2163806dcb8a0e9de
                                  • Instruction ID: 77f92c9db9cf921230e0b4532c021ed196fdf790969f85c9a4baa91fa6e74532
                                  • Opcode Fuzzy Hash: 82d959b2470b1029585db4a0b396cae72950ebda1016c9e2163806dcb8a0e9de
                                  • Instruction Fuzzy Hash: EB415970518611CFDB24DF18C484B1ABBE1AF44308F1989ADE99A5B362C372ECA5CF42
                                  Function 0028ED06 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __getptd_noexit
                                  • String ID:
                                  • API String ID: 3074181302-0
                                  • Opcode ID: 815c724058ef9ddbae8fee4b1135a25be3fc29e8d4dfbe03e9adf2c15b3722e6
                                  • Instruction ID: 2d5adbdb08a9024d3f743b32007c185c973aeb17019132a7b5427a9633820418
                                  • Opcode Fuzzy Hash: 815c724058ef9ddbae8fee4b1135a25be3fc29e8d4dfbe03e9adf2c15b3722e6
                                  • Instruction Fuzzy Hash: BC216D7A8376019FDB227FA8CC457583AA56F42336F260640E8304B1E2DBB4D8649FA1
                                  Function 002641A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00264214: FreeLibrary.KERNEL32(00000000,?), ref: 00264247
                                  • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,002639FE,?,00000001), ref: 002641DB
                                    • Part of subcall function 00264291: FreeLibrary.KERNEL32(00000000), ref: 002642C4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Library$Free$Load
                                  • String ID:
                                  • API String ID: 2391024519-0
                                  • Opcode ID: ba891736c3ba6265101de48f9cbdd6500aaf13e59bbdc773e9ffe329b3afb691
                                  • Instruction ID: 4df1c3e869fd253ca1c55e5151429cc09acf96f7b2b61698164489b5fe964f85
                                  • Opcode Fuzzy Hash: ba891736c3ba6265101de48f9cbdd6500aaf13e59bbdc773e9ffe329b3afb691
                                  • Instruction Fuzzy Hash: CB11A771620206ABDB14BF74DC26F9E77A99F40704F208429F9D6A61D1DE709EA09F60
                                  Function 002D9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ClearVariant
                                  • String ID:
                                  • API String ID: 1473721057-0
                                  • Opcode ID: 3a5be4ae284d977c0ac78c81628ad74b8a84126230bc96fcf9f52e5dc7d5da6c
                                  • Instruction ID: 821a2cccc37b1ac0e472a276beba9c7ba498c7b34df3812d546b6ce0d97b25de
                                  • Opcode Fuzzy Hash: 3a5be4ae284d977c0ac78c81628ad74b8a84126230bc96fcf9f52e5dc7d5da6c
                                  • Instruction Fuzzy Hash: F4212670528712CFDB24DF28C484B1ABBE1BF84304F15896DE99A4B261D772E869CF52
                                  Function 0028AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___lock_fhandle.LIBCMT ref: 0028AFC0
                                    • Part of subcall function 00287BDA: __getptd_noexit.LIBCMT ref: 00287BDA
                                    • Part of subcall function 00287C0E: __getptd_noexit.LIBCMT ref: 00287C0E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __getptd_noexit$___lock_fhandle
                                  • String ID:
                                  • API String ID: 1144279405-0
                                  • Opcode ID: 7354fd66f16240dd99e754639d9a4bfac93813ebcfeab384f9a392aa8d6c170f
                                  • Instruction ID: 5b8607ec95887c7f8e13c85029c5492903d23d083645da85dff6d9830b39119f
                                  • Opcode Fuzzy Hash: 7354fd66f16240dd99e754639d9a4bfac93813ebcfeab384f9a392aa8d6c170f
                                  • Instruction Fuzzy Hash: 0C11907A82B6009FE7177FA4884276D3A61AF41335F294248E4341B1E2CBB589619FA1
                                  Function 002639DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
                                  • Instruction ID: 52dcf7ff4bbedac1f466c44f265aa32a821dd4a61b3f87ca537089f680a7c6c1
                                  • Opcode Fuzzy Hash: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
                                  • Instruction Fuzzy Hash: D101367152010AEFCF05EFA4C8918EEBB74AF25344F108066B56597195EA309AA9DF60
                                  Function 00282AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                  • __lock_file.LIBCMT ref: 00282AED
                                    • Part of subcall function 00287C0E: __getptd_noexit.LIBCMT ref: 00287C0E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __getptd_noexit__lock_file
                                  • String ID:
                                  • API String ID: 2597487223-0
                                  • Opcode ID: 89fb32c2e44d05b29c8fb20221e3796f7bc01cea27597936a8691bbf369bf1f6
                                  • Instruction ID: 019587474c4597d713a0c6c4e1a44ae2facb872dbee1f5ed8d385a8cb54aa820
                                  • Opcode Fuzzy Hash: 89fb32c2e44d05b29c8fb20221e3796f7bc01cea27597936a8691bbf369bf1f6
                                  • Instruction Fuzzy Hash: 21F0C239522206EBDF2ABF648C067DF36A5BF00324F158415F4109B1D1C7788A76DF41
                                  Function 00264252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                  Download Yara Rule
                                  APIs
                                  • FreeLibrary.KERNEL32(?,?,?,?,?,002639FE,?,00000001), ref: 00264286
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: FreeLibrary
                                  • String ID:
                                  • API String ID: 3664257935-0
                                  • Opcode ID: da094679d8021094c2125d33c84f803622af4d84f3965378547d811c3c95263b
                                  • Instruction ID: c3e644aeac954c888caf9086901b140724a37093f0df1955f87bf1a183ab4b85
                                  • Opcode Fuzzy Hash: da094679d8021094c2125d33c84f803622af4d84f3965378547d811c3c95263b
                                  • Instruction Fuzzy Hash: 9DF039B5525702CFCB34AF64E8A4816BBE4BF043253348A3EF9D686610C77298A4DF50
                                  Function 002640A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002640C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: LongNamePath
                                  • String ID:
                                  • API String ID: 82841172-0
                                  • Opcode ID: d10a2d092e51b48819d03f3912f51ad13948465e312443b7baece6f8f4ca8b24
                                  • Instruction ID: cf9794af47de335d628d04e94bd678bb6115d6942da7932f60e1dbb850a4a31c
                                  • Opcode Fuzzy Hash: d10a2d092e51b48819d03f3912f51ad13948465e312443b7baece6f8f4ca8b24
                                  • Instruction Fuzzy Hash: B9E0C2366002245BC711A698DC8AFEA77ADDF886A0F0900B5F909EB244DA64ADD18A90
                                  Function 002ABCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
                                  • Instruction ID: 63cee2a8c6cb6a4496fad0775aa6db3029f42370155d2501a66832a6af90a018
                                  • Opcode Fuzzy Hash: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
                                  • Instruction Fuzzy Hash: 91E092B0514B409BD7358E24D800BE373E0EB06305F00081DF29B83242EB627851CB59
                                  Function 0134E408 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNELBASE(?), ref: 0134E413
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063809334.000000000134D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_134d000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                  • Instruction ID: ef853492766495f2750dc12b196aaedb02228ab0f493cb51b2ccb6bc515e7cf4
                                  • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                  • Instruction Fuzzy Hash: 20E08C30A0620CEBDB10CAA88904AE973E8BB04324F804664E906E3781D538AA00DA55
                                  Function 0134E3D8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNELBASE(?), ref: 0134E3E3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063809334.000000000134D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_134d000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                  • Instruction ID: 4295ab03fc4c31b1727510bf7fbff7acd3a52b0b0f2993302aca0bf7eee8003c
                                  • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                  • Instruction Fuzzy Hash: 7BD05E3090520CABCB10CBA8990899E77A8E705365F004764E91583280D535A9009750
                                  Function 0134FDD4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNELBASE(000001F4), ref: 0134FDE9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063809334.000000000134D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_134d000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                  • Instruction ID: 87d286abadf795cc40748caf40f65c3ba34de0367212a79f9af3b06938c89109
                                  • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                  • Instruction Fuzzy Hash: D8E0BF7494010DEFDB10DFA8D6496DE7BB4EF04712F1005A1FD05D7681DB309E548A62
                                  Function 0134FDD8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNELBASE(000001F4), ref: 0134FDE9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063809334.000000000134D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_134d000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                  • Instruction ID: dfc4add24795393e87bb29ade2c6263b4a4c2b098a2c11369cacb50087badc81
                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                  • Instruction Fuzzy Hash: DAE0E67494010DDFDB00DFB8D64969E7BF4EF04702F100161FD05D2281D6309E508A62

                                  Non-executed Functions

                                  Function 002CF7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027B34E: GetWindowLongW.USER32(?,000000EB), ref: 0027B35F
                                  • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 002CF87D
                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002CF8DC
                                  • GetWindowLongW.USER32(?,000000F0), ref: 002CF919
                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002CF940
                                  • SendMessageW.USER32 ref: 002CF966
                                  • _wcsncpy.LIBCMT ref: 002CF9D2
                                  • GetKeyState.USER32(00000011), ref: 002CF9F3
                                  • GetKeyState.USER32(00000009), ref: 002CFA00
                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002CFA16
                                  • GetKeyState.USER32(00000010), ref: 002CFA20
                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002CFA4F
                                  • SendMessageW.USER32 ref: 002CFA72
                                  • SendMessageW.USER32(?,00001030,?,002CE059), ref: 002CFB6F
                                  • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 002CFB85
                                  • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 002CFB96
                                  • SetCapture.USER32(?), ref: 002CFB9F
                                  • ClientToScreen.USER32(?,?), ref: 002CFC03
                                  • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002CFC0F
                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 002CFC29
                                  • ReleaseCapture.USER32 ref: 002CFC34
                                  • GetCursorPos.USER32(?), ref: 002CFC69
                                  • ScreenToClient.USER32(?,?), ref: 002CFC76
                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 002CFCD8
                                  • SendMessageW.USER32 ref: 002CFD02
                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 002CFD41
                                  • SendMessageW.USER32 ref: 002CFD6C
                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 002CFD84
                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 002CFD8F
                                  • GetCursorPos.USER32(?), ref: 002CFDB0
                                  • ScreenToClient.USER32(?,?), ref: 002CFDBD
                                  • GetParent.USER32(?), ref: 002CFDD9
                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 002CFE3F
                                  • SendMessageW.USER32 ref: 002CFE6F
                                  • ClientToScreen.USER32(?,?), ref: 002CFEC5
                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 002CFEF1
                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 002CFF19
                                  • SendMessageW.USER32 ref: 002CFF3C
                                  • ClientToScreen.USER32(?,?), ref: 002CFF86
                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 002CFFB6
                                  • GetWindowLongW.USER32(?,000000F0), ref: 002D004B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                  • String ID: @GUI_DRAGID$F
                                  • API String ID: 2516578528-4164748364
                                  • Opcode ID: 94854290556ffff2f6e2e12f71426139a75763a0ba09e5771c097004a09f5732
                                  • Instruction ID: 2c002e1900f4bd7d80a0b9bc19cc77c47ceb6e4036568dde735f37e76cbc3652
                                  • Opcode Fuzzy Hash: 94854290556ffff2f6e2e12f71426139a75763a0ba09e5771c097004a09f5732
                                  • Instruction Fuzzy Hash: 8132A974614246AFDB21CF24C984FAABBAAFF48354F14072EFA95872A0C770DC65CB51
                                  Function 002CAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 002CB1CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: %d/%02d/%02d
                                  • API String ID: 3850602802-328681919
                                  • Opcode ID: e591a3d1ef07bd8974d0125d5ad5f0b067904e09a58629075f200ed22e728281
                                  • Instruction ID: 4f230a48d52d524ab34caab4edd30b746080f6479b1a38dfbec3c7e143165fa7
                                  • Opcode Fuzzy Hash: e591a3d1ef07bd8974d0125d5ad5f0b067904e09a58629075f200ed22e728281
                                  • Instruction Fuzzy Hash: 9012FF71520249ABEB268F64DC8AFAE7BB8FF45314F14421DF91ADB2D0DBB08951CB11
                                  Function 0027EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32(00000000,00000000), ref: 0027EB4A
                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002D3AEA
                                  • IsIconic.USER32(000000FF), ref: 002D3AF3
                                  • ShowWindow.USER32(000000FF,00000009), ref: 002D3B00
                                  • SetForegroundWindow.USER32(000000FF), ref: 002D3B0A
                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002D3B20
                                  • GetCurrentThreadId.KERNEL32 ref: 002D3B27
                                  • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 002D3B33
                                  • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 002D3B44
                                  • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 002D3B4C
                                  • AttachThreadInput.USER32(00000000,?,00000001), ref: 002D3B54
                                  • SetForegroundWindow.USER32(000000FF), ref: 002D3B57
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 002D3B6C
                                  • keybd_event.USER32(00000012,00000000), ref: 002D3B77
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 002D3B81
                                  • keybd_event.USER32(00000012,00000000), ref: 002D3B86
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 002D3B8F
                                  • keybd_event.USER32(00000012,00000000), ref: 002D3B94
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 002D3B9E
                                  • keybd_event.USER32(00000012,00000000), ref: 002D3BA3
                                  • SetForegroundWindow.USER32(000000FF), ref: 002D3BA6
                                  • AttachThreadInput.USER32(000000FF,?,00000000), ref: 002D3BCD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                  • String ID: Shell_TrayWnd
                                  • API String ID: 4125248594-2988720461
                                  • Opcode ID: b590902705c985f197e88b908d3639ca266ff7b5785c295911b038f7053d7d96
                                  • Instruction ID: a95904d82cf819a56424cd0d5e64333ad8a224e7ab04681168a26d2eff0eec49
                                  • Opcode Fuzzy Hash: b590902705c985f197e88b908d3639ca266ff7b5785c295911b038f7053d7d96
                                  • Instruction Fuzzy Hash: 4F31B471A903187FEB205F65AC8DFBF7E6CEB44B54F104016FA04EE2D0D6B15D10AAA1
                                  Function 0029ACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0029B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0029B180
                                    • Part of subcall function 0029B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0029B1AD
                                    • Part of subcall function 0029B134: GetLastError.KERNEL32 ref: 0029B1BA
                                  • _memset.LIBCMT ref: 0029AD08
                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0029AD5A
                                  • CloseHandle.KERNEL32(?), ref: 0029AD6B
                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0029AD82
                                  • GetProcessWindowStation.USER32 ref: 0029AD9B
                                  • SetProcessWindowStation.USER32(00000000), ref: 0029ADA5
                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0029ADBF
                                    • Part of subcall function 0029AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0029ACC0), ref: 0029AB99
                                    • Part of subcall function 0029AB84: CloseHandle.KERNEL32(?,?,0029ACC0), ref: 0029ABAB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                  • String ID: $H*1$default$winsta0
                                  • API String ID: 2063423040-3986054296
                                  • Opcode ID: d226e62cbe9344958d11721eb7df7cbcf166173f246e81ac0d79e3296ca8a2d7
                                  • Instruction ID: 35ec40aa7f4d78f78be4e4bc11083bd1a7115216060dd4a3d6737f8c507a2623
                                  • Opcode Fuzzy Hash: d226e62cbe9344958d11721eb7df7cbcf166173f246e81ac0d79e3296ca8a2d7
                                  • Instruction Fuzzy Hash: 4D816D7181034AAFDF119FA4DC89AEEBBB9FF08304F044129F914A6161D7718E65DFA1
                                  Function 002A60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002A6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002A5FA6,?), ref: 002A6ED8
                                    • Part of subcall function 002A6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002A5FA6,?), ref: 002A6EF1
                                    • Part of subcall function 002A725E: __wsplitpath.LIBCMT ref: 002A727B
                                    • Part of subcall function 002A725E: __wsplitpath.LIBCMT ref: 002A728E
                                    • Part of subcall function 002A72CB: GetFileAttributesW.KERNEL32(?,002A6019), ref: 002A72CC
                                  • _wcscat.LIBCMT ref: 002A6149
                                  • _wcscat.LIBCMT ref: 002A6167
                                  • __wsplitpath.LIBCMT ref: 002A618E
                                  • FindFirstFileW.KERNEL32(?,?), ref: 002A61A4
                                  • _wcscpy.LIBCMT ref: 002A6209
                                  • _wcscat.LIBCMT ref: 002A621C
                                  • _wcscat.LIBCMT ref: 002A622F
                                  • lstrcmpiW.KERNEL32(?,?), ref: 002A625D
                                  • DeleteFileW.KERNEL32(?), ref: 002A626E
                                  • MoveFileW.KERNEL32(?,?), ref: 002A6289
                                  • MoveFileW.KERNEL32(?,?), ref: 002A6298
                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 002A62AD
                                  • DeleteFileW.KERNEL32(?), ref: 002A62BE
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 002A62E1
                                  • FindClose.KERNEL32(00000000), ref: 002A62FD
                                  • FindClose.KERNEL32(00000000), ref: 002A630B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                  • String ID: \*.*
                                  • API String ID: 1917200108-1173974218
                                  • Opcode ID: e4ee0fe0a66edc7b1a17ee191cac8eca9aa26ebd2652766e75a61b2f7a39090c
                                  • Instruction ID: 577108e56f74473b3238d1527b131bff94f24510785300517d53a7422a253964
                                  • Opcode Fuzzy Hash: e4ee0fe0a66edc7b1a17ee191cac8eca9aa26ebd2652766e75a61b2f7a39090c
                                  • Instruction Fuzzy Hash: DD51407281815DABCB21EB91DC88EEB77BCAF05300F0900E6E589E2141DF7697598FA4
                                  Function 002B6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32(002FDC00), ref: 002B6B36
                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 002B6B44
                                  • GetClipboardData.USER32(0000000D), ref: 002B6B4C
                                  • CloseClipboard.USER32 ref: 002B6B58
                                  • GlobalLock.KERNEL32(00000000), ref: 002B6B74
                                  • CloseClipboard.USER32 ref: 002B6B7E
                                  • GlobalUnlock.KERNEL32(00000000), ref: 002B6B93
                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 002B6BA0
                                  • GetClipboardData.USER32(00000001), ref: 002B6BA8
                                  • GlobalLock.KERNEL32(00000000), ref: 002B6BB5
                                  • GlobalUnlock.KERNEL32(00000000), ref: 002B6BE9
                                  • CloseClipboard.USER32 ref: 002B6CF6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                  • String ID:
                                  • API String ID: 3222323430-0
                                  • Opcode ID: c2ad2103e062b922e0d19c7ed477afa137c31581c8f86d36a237ae9934a423a0
                                  • Instruction ID: 004e132d3cc0e8c24265020f8593450e5bb3ad9ba640d17a4881da1b023014e5
                                  • Opcode Fuzzy Hash: c2ad2103e062b922e0d19c7ed477afa137c31581c8f86d36a237ae9934a423a0
                                  • Instruction Fuzzy Hash: 3651B271250202AFD300EF60ED9EFBE77B8AF54B40F10052AF686EA1D1DF74D8158A62
                                  Function 002AF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?), ref: 002AF62B
                                  • FindClose.KERNEL32(00000000), ref: 002AF67F
                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002AF6A4
                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002AF6BB
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 002AF6E2
                                  • __swprintf.LIBCMT ref: 002AF72E
                                  • __swprintf.LIBCMT ref: 002AF767
                                  • __swprintf.LIBCMT ref: 002AF7BB
                                    • Part of subcall function 0028172B: __woutput_l.LIBCMT ref: 00281784
                                  • __swprintf.LIBCMT ref: 002AF809
                                  • __swprintf.LIBCMT ref: 002AF858
                                  • __swprintf.LIBCMT ref: 002AF8A7
                                  • __swprintf.LIBCMT ref: 002AF8F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                  • API String ID: 835046349-2428617273
                                  • Opcode ID: abcf4695a33415a346023a0f66f1d9bd6baa51df0926019682356e3abd176d04
                                  • Instruction ID: 0f4189f4d35c4aedf5ed0cdf355a303709c607b1d2d452c9f0f5b5c8fb2d8e07
                                  • Opcode Fuzzy Hash: abcf4695a33415a346023a0f66f1d9bd6baa51df0926019682356e3abd176d04
                                  • Instruction Fuzzy Hash: 29A140B1418344ABC354EB94C885DAFB7ECEF98704F44082EF585C7191EB34D969CB62
                                  Function 002B1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 002B1B50
                                  • _wcscmp.LIBCMT ref: 002B1B65
                                  • _wcscmp.LIBCMT ref: 002B1B7C
                                  • GetFileAttributesW.KERNEL32(?), ref: 002B1B8E
                                  • SetFileAttributesW.KERNEL32(?,?), ref: 002B1BA8
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 002B1BC0
                                  • FindClose.KERNEL32(00000000), ref: 002B1BCB
                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 002B1BE7
                                  • _wcscmp.LIBCMT ref: 002B1C0E
                                  • _wcscmp.LIBCMT ref: 002B1C25
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 002B1C37
                                  • SetCurrentDirectoryW.KERNEL32(003139FC), ref: 002B1C55
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 002B1C5F
                                  • FindClose.KERNEL32(00000000), ref: 002B1C6C
                                  • FindClose.KERNEL32(00000000), ref: 002B1C7C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                  • String ID: *.*
                                  • API String ID: 1803514871-438819550
                                  • Opcode ID: 742a448013afbe19f842dea7cd7a874b3467bfeef3a7bcdd7afaa5e40e5df40e
                                  • Instruction ID: 9f08d0602f133f6552493ee7b925072a508b8e623a1d854f67832c4f636b86ab
                                  • Opcode Fuzzy Hash: 742a448013afbe19f842dea7cd7a874b3467bfeef3a7bcdd7afaa5e40e5df40e
                                  • Instruction Fuzzy Hash: 4131173254021A6FCF14AFB0EC9DADE7BAC9F09360F500196E905E7090EB70DAB58F64
                                  Function 002B1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 002B1CAB
                                  • _wcscmp.LIBCMT ref: 002B1CC0
                                  • _wcscmp.LIBCMT ref: 002B1CD7
                                    • Part of subcall function 002A6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002A6BEF
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 002B1D06
                                  • FindClose.KERNEL32(00000000), ref: 002B1D11
                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 002B1D2D
                                  • _wcscmp.LIBCMT ref: 002B1D54
                                  • _wcscmp.LIBCMT ref: 002B1D6B
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 002B1D7D
                                  • SetCurrentDirectoryW.KERNEL32(003139FC), ref: 002B1D9B
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 002B1DA5
                                  • FindClose.KERNEL32(00000000), ref: 002B1DB2
                                  • FindClose.KERNEL32(00000000), ref: 002B1DC2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                  • String ID: *.*
                                  • API String ID: 1824444939-438819550
                                  • Opcode ID: 6cbd19f0a69c0f61f857aada78d666e13344aaa6244ee18d69d7ba56185cefcc
                                  • Instruction ID: dc6a7e4a1f116b2dfb00a8a4a32b307eebae3325a5e628f01556c3f4ea3a5408
                                  • Opcode Fuzzy Hash: 6cbd19f0a69c0f61f857aada78d666e13344aaa6244ee18d69d7ba56185cefcc
                                  • Instruction Fuzzy Hash: 5331043251061BABCF10AFA0EC59AEE7BAD9F053A0F900561E901E70D0DB70DAB58F64
                                  Function 00267D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: _memset
                                  • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                  • API String ID: 2102423945-2023335898
                                  • Opcode ID: dfd9a5b3455a740f538b120b263f67efc93083dcc4e6649030b96180bcdcc7db
                                  • Instruction ID: cc78bc0b26892ff65716c89e439e81beee7549d9bf046cf4b9d00896ac255667
                                  • Opcode Fuzzy Hash: dfd9a5b3455a740f538b120b263f67efc93083dcc4e6649030b96180bcdcc7db
                                  • Instruction Fuzzy Hash: 8682C071D2421ACBCF24CF94C8807ADB7B1BF48314F25816AD85AAB391E7749DE5CB90
                                  Function 002B091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(?), ref: 002B09DF
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 002B09EF
                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002B09FB
                                  • __wsplitpath.LIBCMT ref: 002B0A59
                                  • _wcscat.LIBCMT ref: 002B0A71
                                  • _wcscat.LIBCMT ref: 002B0A83
                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002B0A98
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 002B0AAC
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 002B0ADE
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 002B0AFF
                                  • _wcscpy.LIBCMT ref: 002B0B0B
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002B0B4A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                  • String ID: *.*
                                  • API String ID: 3566783562-438819550
                                  • Opcode ID: dc9a2941562bf041eff3d79a1b76036f629b49efb37fa372226f0f4a79001604
                                  • Instruction ID: 8cda4de7aaec90900d0cf9090ca6be02e933219a05b699b29d0e24082dfc5214
                                  • Opcode Fuzzy Hash: dc9a2941562bf041eff3d79a1b76036f629b49efb37fa372226f0f4a79001604
                                  • Instruction Fuzzy Hash: 046158725243059FD710EF60C8849AFB3E8FF89314F04491AE98997252DB31E969CF92
                                  Function 00266F07 Relevance: 22.1, Strings: 17, Instructions: 883COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 0$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$mmmmmm$000 0
                                  • API String ID: 0-752779977
                                  • Opcode ID: 1df11a790dee21dd195fa7ca6940874be2b5e4232e8b8e839d2f063d3ac48e1a
                                  • Instruction ID: 0b9f118a58579a6acdcb983718d63af3f091e060fc47e2f3163271f5e226d1e2
                                  • Opcode Fuzzy Hash: 1df11a790dee21dd195fa7ca6940874be2b5e4232e8b8e839d2f063d3ac48e1a
                                  • Instruction Fuzzy Hash: 86728071E2425ADBDF14CF59D8807AEB7B5BF08314F54416AE806EB280DB709E91DF90
                                  Function 0029A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0029ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0029ABD7
                                    • Part of subcall function 0029ABBB: GetLastError.KERNEL32(?,0029A69F,?,?,?), ref: 0029ABE1
                                    • Part of subcall function 0029ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0029A69F,?,?,?), ref: 0029ABF0
                                    • Part of subcall function 0029ABBB: HeapAlloc.KERNEL32(00000000,?,0029A69F,?,?,?), ref: 0029ABF7
                                    • Part of subcall function 0029ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0029AC0E
                                    • Part of subcall function 0029AC56: GetProcessHeap.KERNEL32(00000008,0029A6B5,00000000,00000000,?,0029A6B5,?), ref: 0029AC62
                                    • Part of subcall function 0029AC56: HeapAlloc.KERNEL32(00000000,?,0029A6B5,?), ref: 0029AC69
                                    • Part of subcall function 0029AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0029A6B5,?), ref: 0029AC7A
                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0029A6D0
                                  • _memset.LIBCMT ref: 0029A6E5
                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0029A704
                                  • GetLengthSid.ADVAPI32(?), ref: 0029A715
                                  • GetAce.ADVAPI32(?,00000000,?), ref: 0029A752
                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0029A76E
                                  • GetLengthSid.ADVAPI32(?), ref: 0029A78B
                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0029A79A
                                  • HeapAlloc.KERNEL32(00000000), ref: 0029A7A1
                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0029A7C2
                                  • CopySid.ADVAPI32(00000000), ref: 0029A7C9
                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0029A7FA
                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0029A820
                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0029A834
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                  • String ID:
                                  • API String ID: 3996160137-0
                                  • Opcode ID: c2b73e0c1f1ce2dcd805e3fd24d4d3f10dcee430486f03e5caa612efc75b0cbf
                                  • Instruction ID: 6dd7b03a2f907339eb63daf3ce364a835241c54a805b0da18ca5e800fb4aa722
                                  • Opcode Fuzzy Hash: c2b73e0c1f1ce2dcd805e3fd24d4d3f10dcee430486f03e5caa612efc75b0cbf
                                  • Instruction Fuzzy Hash: 9A514E7191024AAFDF10DF95DC89EEEBBB9FF04304F048129F915AB290D7359A15CBA1
                                  Function 002A63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002A6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002A5FA6,?), ref: 002A6ED8
                                    • Part of subcall function 002A72CB: GetFileAttributesW.KERNEL32(?,002A6019), ref: 002A72CC
                                  • _wcscat.LIBCMT ref: 002A6441
                                  • __wsplitpath.LIBCMT ref: 002A645F
                                  • FindFirstFileW.KERNEL32(?,?), ref: 002A6474
                                  • _wcscpy.LIBCMT ref: 002A64A3
                                  • _wcscat.LIBCMT ref: 002A64B8
                                  • _wcscat.LIBCMT ref: 002A64CA
                                  • DeleteFileW.KERNEL32(?), ref: 002A64DA
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 002A64EB
                                  • FindClose.KERNEL32(00000000), ref: 002A6506
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                  • String ID: \*.*
                                  • API String ID: 2643075503-1173974218
                                  • Opcode ID: d1f5f8fcbb552d2e98a8becfa9b0920baa6292d69e24ec8253797091dd0a12bf
                                  • Instruction ID: fcb14d8a2b7f9f119749aa2aa62a3708e25cf2dfb5c85c61513d499bdc08ebc7
                                  • Opcode Fuzzy Hash: d1f5f8fcbb552d2e98a8becfa9b0920baa6292d69e24ec8253797091dd0a12bf
                                  • Instruction Fuzzy Hash: DB3182B24193849FC721EFA48889ADB77DCAF5A310F44091AF6D8C3141EB35D51D8B67
                                  Function 002C31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002C3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002C2BB5,?,?), ref: 002C3C1D
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002C328E
                                    • Part of subcall function 0026936C: __swprintf.LIBCMT ref: 002693AB
                                    • Part of subcall function 0026936C: __itow.LIBCMT ref: 002693DF
                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002C332D
                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002C33C5
                                  • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 002C3604
                                  • RegCloseKey.ADVAPI32(00000000), ref: 002C3611
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                  • String ID:
                                  • API String ID: 1240663315-0
                                  • Opcode ID: 8a9f6346089788b812f0272e32fbab0a752aa811f0e7709c1505aa1b9a722749
                                  • Instruction ID: 85f9da08f87d59e3f2608b03b64de603929981d60fa249889391ca04c9331255
                                  • Opcode Fuzzy Hash: 8a9f6346089788b812f0272e32fbab0a752aa811f0e7709c1505aa1b9a722749
                                  • Instruction Fuzzy Hash: 71E15A71614200AFCB14DF28C995E2ABBE8FF89314B14896DF44ADB261DB31ED65CF42
                                  Function 002A2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?), ref: 002A2B5F
                                  • GetAsyncKeyState.USER32(000000A0), ref: 002A2BE0
                                  • GetKeyState.USER32(000000A0), ref: 002A2BFB
                                  • GetAsyncKeyState.USER32(000000A1), ref: 002A2C15
                                  • GetKeyState.USER32(000000A1), ref: 002A2C2A
                                  • GetAsyncKeyState.USER32(00000011), ref: 002A2C42
                                  • GetKeyState.USER32(00000011), ref: 002A2C54
                                  • GetAsyncKeyState.USER32(00000012), ref: 002A2C6C
                                  • GetKeyState.USER32(00000012), ref: 002A2C7E
                                  • GetAsyncKeyState.USER32(0000005B), ref: 002A2C96
                                  • GetKeyState.USER32(0000005B), ref: 002A2CA8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: State$Async$Keyboard
                                  • String ID:
                                  • API String ID: 541375521-0
                                  • Opcode ID: 49eee1daf4b5fbf42e963990643ac1e8b460b9ee8db26726758d4229253a0a54
                                  • Instruction ID: ce01dcc5555455550623dc65d97a0998c4038e7081783bd4d37d8c8e06c20964
                                  • Opcode Fuzzy Hash: 49eee1daf4b5fbf42e963990643ac1e8b460b9ee8db26726758d4229253a0a54
                                  • Instruction Fuzzy Hash: 4A41FB305147CBEFFF345F6888443A9BEA16B13314F04444ADAC65A2C1DF9499ECC7A1
                                  Function 002B6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                  • String ID:
                                  • API String ID: 1737998785-0
                                  • Opcode ID: d39b1c99924237185914d45dd5493d91ce5c0e73f6bda5e4c2fcdf19e2475778
                                  • Instruction ID: 07b6668059bab7baa8d523e3b0eb7ec852f43f4718a6d5cebf66e4b09e83e277
                                  • Opcode Fuzzy Hash: d39b1c99924237185914d45dd5493d91ce5c0e73f6bda5e4c2fcdf19e2475778
                                  • Instruction Fuzzy Hash: 3C219C31360111AFDB11AF64ED8DB6E77A8FF14750F04841AF90ADB2A1CB74E8218F94
                                  Function 002BC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00299ABF: CLSIDFromProgID.OLE32 ref: 00299ADC
                                    • Part of subcall function 00299ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00299AF7
                                    • Part of subcall function 00299ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00299B05
                                    • Part of subcall function 00299ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00299B15
                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 002BC235
                                  • _memset.LIBCMT ref: 002BC242
                                  • _memset.LIBCMT ref: 002BC360
                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 002BC38C
                                  • CoTaskMemFree.OLE32(?), ref: 002BC397
                                  Strings
                                  • NULL Pointer assignment, xrefs: 002BC3E5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                  • String ID: NULL Pointer assignment
                                  • API String ID: 1300414916-2785691316
                                  • Opcode ID: df99353e5706494882ab86b776ef1c6617e606e44110ea23fcf08e5654d45e92
                                  • Instruction ID: 3b60c8f18d90825498f2f53f65399aa4d13a04515844fec47ea4449136c6d8f7
                                  • Opcode Fuzzy Hash: df99353e5706494882ab86b776ef1c6617e606e44110ea23fcf08e5654d45e92
                                  • Instruction Fuzzy Hash: 68915B71D10218EBDB10DF94DC85EEEBBB9EF08350F20816AF519A7281DB709A55CFA0
                                  Function 002A79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0029B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0029B180
                                    • Part of subcall function 0029B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0029B1AD
                                    • Part of subcall function 0029B134: GetLastError.KERNEL32 ref: 0029B1BA
                                  • ExitWindowsEx.USER32(?,00000000), ref: 002A7A0F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                  • String ID: $@$SeShutdownPrivilege
                                  • API String ID: 2234035333-194228
                                  • Opcode ID: 0bb2eebab0849434c1d38792915b144f2b0d425f4df7ff805b2f2c0b53442385
                                  • Instruction ID: 06372bcf22c05366e6a39ea06291ea38742f2591a8e7950623b44d9e95fcaf00
                                  • Opcode Fuzzy Hash: 0bb2eebab0849434c1d38792915b144f2b0d425f4df7ff805b2f2c0b53442385
                                  • Instruction Fuzzy Hash: 150184757B82527BEB285A689C9ABBF72589B02740F240425FD53A60D3DDB15E2081A8
                                  Function 00269B60 Relevance: 9.8, Strings: 7, Instructions: 1055COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ERCP$VUUU$VUUU$VUUU$VUUU$mmmmmm$0
                                  • API String ID: 0-2791911115
                                  • Opcode ID: 317c4d128a7af9474fb3855f8b2d5aafb24956523dc62f346536c8b486db2b6e
                                  • Instruction ID: e9a008c190edd0853051cd577d62c441e2619cac747ada62461c5bb4de2501d3
                                  • Opcode Fuzzy Hash: 317c4d128a7af9474fb3855f8b2d5aafb24956523dc62f346536c8b486db2b6e
                                  • Instruction Fuzzy Hash: 4F92E171E2025ACBDF24CF59C8407BDB3B5BB54314F6481AAE81AAB280D7719DE1CF91
                                  Function 002B8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 002B8CA8
                                  • WSAGetLastError.WSOCK32(00000000), ref: 002B8CB7
                                  • bind.WSOCK32(00000000,?,00000010), ref: 002B8CD3
                                  • listen.WSOCK32(00000000,00000005), ref: 002B8CE2
                                  • WSAGetLastError.WSOCK32(00000000), ref: 002B8CFC
                                  • closesocket.WSOCK32(00000000,00000000), ref: 002B8D10
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ErrorLast$bindclosesocketlistensocket
                                  • String ID:
                                  • API String ID: 1279440585-0
                                  • Opcode ID: 745ffe42c94bc89f312d1d36e48fb60f06c90c83925804d82e580895d292e08d
                                  • Instruction ID: 035260c5012609035b68d1ec4c4597ac5739a06202fba5347e94b695d0dcb77f
                                  • Opcode Fuzzy Hash: 745ffe42c94bc89f312d1d36e48fb60f06c90c83925804d82e580895d292e08d
                                  • Instruction Fuzzy Hash: 252123316102019FCB10EF28DD88BAEB7E8EF49350F108149F91AAB3D2CB30AD51CB51
                                  Function 002A6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 002A6554
                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 002A6564
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 002A6583
                                  • __wsplitpath.LIBCMT ref: 002A65A7
                                  • _wcscat.LIBCMT ref: 002A65BA
                                  • CloseHandle.KERNEL32(00000000,?,00000000), ref: 002A65F9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                  • String ID:
                                  • API String ID: 1605983538-0
                                  • Opcode ID: 19f3220adca9fc6567ea98c3696923b8d44e96584d28e2c81a69faf799d136d1
                                  • Instruction ID: 66193eefc0c87f8a32d943e325ab8044f87bcc81d98fb79a4aa4d4a77c5a3596
                                  • Opcode Fuzzy Hash: 19f3220adca9fc6567ea98c3696923b8d44e96584d28e2c81a69faf799d136d1
                                  • Instruction Fuzzy Hash: D0214171910259ABDB10AFA4DC88BD9B7BCAB45300F5404A5E505E7141DBB19B95CF60
                                  Function 002A13CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 002A13DC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: lstrlen
                                  • String ID: ($,21$<21$|
                                  • API String ID: 1659193697-2473297438
                                  • Opcode ID: 041ade4fe7152834521741e7cb7fed012ee1749d17c72df53b08272bcbb0b488
                                  • Instruction ID: f4d7b927ae1be4a2692f91a88f4cc218e00697603caa9e57774f38c00fe08acf
                                  • Opcode Fuzzy Hash: 041ade4fe7152834521741e7cb7fed012ee1749d17c72df53b08272bcbb0b488
                                  • Instruction Fuzzy Hash: CE322575A106059FC728CF29C480A6AB7F0FF48320F15C56EE59ADB3A1EB70E961CB44
                                  Function 002B923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002BA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 002BA84E
                                  • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 002B9296
                                  • WSAGetLastError.WSOCK32(00000000,00000000), ref: 002B92B9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ErrorLastinet_addrsocket
                                  • String ID:
                                  • API String ID: 4170576061-0
                                  • Opcode ID: 95ded2418a0acb7e78f647818ba5d4ad75e942f76463bf422106f91b7a8bc1e9
                                  • Instruction ID: cf859d0f404f621106223579e470d02479834f07c0487b761c27721f8e37bee1
                                  • Opcode Fuzzy Hash: 95ded2418a0acb7e78f647818ba5d4ad75e942f76463bf422106f91b7a8bc1e9
                                  • Instruction Fuzzy Hash: 0441C170610200AFEB10AF28C886E7E77EDEF44764F14844DF95AAB3C2CA749D618B91
                                  Function 002AEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?), ref: 002AEB8A
                                  • _wcscmp.LIBCMT ref: 002AEBBA
                                  • _wcscmp.LIBCMT ref: 002AEBCF
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 002AEBE0
                                  • FindClose.KERNEL32(00000000,00000001,00000000), ref: 002AEC0E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Find$File_wcscmp$CloseFirstNext
                                  • String ID:
                                  • API String ID: 2387731787-0
                                  • Opcode ID: 23a8c20ad4bcbf285ffdd78987aaba6f07f3e2835aec23c8c5ca47bd117346da
                                  • Instruction ID: c87f359962d90f6b26b7c5bc24d6743cab41e3a3772bc4dd058bc4fca7c64506
                                  • Opcode Fuzzy Hash: 23a8c20ad4bcbf285ffdd78987aaba6f07f3e2835aec23c8c5ca47bd117346da
                                  • Instruction Fuzzy Hash: 9041C035610302DFCB08DF28C491A9AB3E5FF4A324F10455EEA5A8B3A1DF31A965CF51
                                  Function 002C8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                  • String ID:
                                  • API String ID: 292994002-0
                                  • Opcode ID: 4edd63c8cefc31f4c58c71d3891aefa93266d7c99455b9c05b690860890bd9e4
                                  • Instruction ID: 12c38a6fe33df380d5badfd0e701691f7156991f7b02f6150e123fe9c1274b9d
                                  • Opcode Fuzzy Hash: 4edd63c8cefc31f4c58c71d3891aefa93266d7c99455b9c05b690860890bd9e4
                                  • Instruction Fuzzy Hash: CB119031350511AFE7215F26AC88F6FB7DCEF54760B09852DF84DDB241CFB099228AA4
                                  Function 0027E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,0027E014,75920AE0,0027DEF1,002FDC38,?,?), ref: 0027E02C
                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0027E03E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                  • API String ID: 2574300362-192647395
                                  • Opcode ID: dc4b8e6829ea293887054a320c48759c80f41bc3ba24337f34f8db1f976ab6dc
                                  • Instruction ID: 24024cd3cb4b0d5958da2dcdcb9320e7c36726950fc2a7b328caf8eb1e28121e
                                  • Opcode Fuzzy Hash: dc4b8e6829ea293887054a320c48759c80f41bc3ba24337f34f8db1f976ab6dc
                                  • Instruction Fuzzy Hash: 9CD05E305507139ECB264F60E84C69276E4AF0A300F198459E489A6150D6B4C8908660
                                  Function 0027B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027B34E: GetWindowLongW.USER32(?,000000EB), ref: 0027B35F
                                  • DefDlgProcW.USER32(?,?,?,?,?), ref: 0027B22F
                                    • Part of subcall function 0027B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0027B5A5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Proc$LongWindow
                                  • String ID:
                                  • API String ID: 2749884682-0
                                  • Opcode ID: e3ca177c5dc0799658a4f40bc8cecc827fda9382bf70b51864b01b40d9c77c75
                                  • Instruction ID: a91cf9052bb1d0dec9552482579c230615d458f2989ca250d5b3b0c2545955cf
                                  • Opcode Fuzzy Hash: e3ca177c5dc0799658a4f40bc8cecc827fda9382bf70b51864b01b40d9c77c75
                                  • Instruction Fuzzy Hash: 6FA14870135006BADB3A7E295C88FBF295DEB56340B51C21EFC0EDA292CB749C319672
                                  Function 002B4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,002B43BF,00000000), ref: 002B4FA6
                                  • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 002B4FD2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Internet$AvailableDataFileQueryRead
                                  • String ID:
                                  • API String ID: 599397726-0
                                  • Opcode ID: 64447ba6fa66d06902034d73c8f5c4a2f2eea7d93610c25398ad164e3eabcd32
                                  • Instruction ID: b1ececedfdf650351a44374c76cf874d3bf26054877cfe041cef5a45d9dba257
                                  • Opcode Fuzzy Hash: 64447ba6fa66d06902034d73c8f5c4a2f2eea7d93610c25398ad164e3eabcd32
                                  • Instruction Fuzzy Hash: 0741E97152420ABFEB21EE84DCC5FFFB7BCEB40794F10402AF60567182D6B19E519A60
                                  Function 002677B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: \Q1
                                  • API String ID: 4104443479-1754882793
                                  • Opcode ID: 29fa9950d34f20a16eaa2ea8a146d076e703ed9b1c18bc773952abd829cc6b24
                                  • Instruction ID: ebfac0183b2e9657ee33f6d8576dd41ca9b19bc75a0ae08e8539c28c2ec10d96
                                  • Opcode Fuzzy Hash: 29fa9950d34f20a16eaa2ea8a146d076e703ed9b1c18bc773952abd829cc6b24
                                  • Instruction Fuzzy Hash: 36A26D74D2421ACFDB24CF58D4806ADBBB1FF48314F2581AAD859AB390D7709EA1DF90
                                  Function 002AE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 002AE20D
                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 002AE267
                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 002AE2B4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ErrorMode$DiskFreeSpace
                                  • String ID:
                                  • API String ID: 1682464887-0
                                  • Opcode ID: bac6772628e6a1fa53b504fa4199c84b2762ecf7b6448b8595bb4375bef6ca55
                                  • Instruction ID: 926fafc276f27b6df1418af1bdb57588725e6eb5801d999bd7400bfdc219d5cd
                                  • Opcode Fuzzy Hash: bac6772628e6a1fa53b504fa4199c84b2762ecf7b6448b8595bb4375bef6ca55
                                  • Instruction Fuzzy Hash: 67218C35A10118EFDB00EFA4D884AAEBBB8FF49310F1580AAE909AB251CB319915CF50
                                  Function 0029B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027F4EA: std::exception::exception.LIBCMT ref: 0027F51E
                                    • Part of subcall function 0027F4EA: __CxxThrowException@8.LIBCMT ref: 0027F533
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0029B180
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0029B1AD
                                  • GetLastError.KERNEL32 ref: 0029B1BA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                  • String ID:
                                  • API String ID: 1922334811-0
                                  • Opcode ID: 76f2045c5e7faa80deb3def274b7c05d3f82b64d9956169dc21f1ef5e3d6abe8
                                  • Instruction ID: 94847e518e7d84b3ea83893cb73cdd1d632104713ffbeb382594e2e9de2e5b7b
                                  • Opcode Fuzzy Hash: 76f2045c5e7faa80deb3def274b7c05d3f82b64d9956169dc21f1ef5e3d6abe8
                                  • Instruction Fuzzy Hash: 43119EB2524205AFE718AF64EDD5D2BB7BDFB44710B20852EE45A97240EB70FC518A60
                                  Function 002A6606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002A6623
                                  • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 002A6664
                                  • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002A666F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CloseControlCreateDeviceFileHandle
                                  • String ID:
                                  • API String ID: 33631002-0
                                  • Opcode ID: ceb4b4f96c0d266de0fc7f3994d225958378d219467928beb74a3d7fadf40173
                                  • Instruction ID: c50e5f4639d5b72eeeb29d399001c4d035a71bf80709a1220fbef06489dee71f
                                  • Opcode Fuzzy Hash: ceb4b4f96c0d266de0fc7f3994d225958378d219467928beb74a3d7fadf40173
                                  • Instruction Fuzzy Hash: 34115E71E11228BFDB108FA4EC44BAEBBBCEB45B10F104152F910E6290D7B05A018BA1
                                  Function 002A71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 002A7223
                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002A723A
                                  • FreeSid.ADVAPI32(?), ref: 002A724A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                  • String ID:
                                  • API String ID: 3429775523-0
                                  • Opcode ID: 3d81551bb039fab29995a60935e4a4cfeb7f3def8bfb6e5a199aec50fd13ad3d
                                  • Instruction ID: 3d68382f991b4ed1b6c40b19c627c4b7478dabef34a4069252308b93c7e68ca2
                                  • Opcode Fuzzy Hash: 3d81551bb039fab29995a60935e4a4cfeb7f3def8bfb6e5a199aec50fd13ad3d
                                  • Instruction Fuzzy Hash: 82F06D7AA40219BFDF00DFE4DC89AEEBBBCEF08301F004469A602E6181E2309A048B10
                                  Function 002AF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?), ref: 002AF599
                                  • FindClose.KERNEL32(00000000), ref: 002AF5C9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Find$CloseFileFirst
                                  • String ID:
                                  • API String ID: 2295610775-0
                                  • Opcode ID: 6e4d42b16ceaebefbf0d6563c066417e121aa3f40d186b3beb97f4e6f2d60de2
                                  • Instruction ID: 56ac0e42e64c502a343a7c33434ae441697a4bcf1edd92808dfd79e1d0faf236
                                  • Opcode Fuzzy Hash: 6e4d42b16ceaebefbf0d6563c066417e121aa3f40d186b3beb97f4e6f2d60de2
                                  • Instruction Fuzzy Hash: 8711A1316102009FDB10EF69D849A2EB3E8FF95324F00891EF8A9DB291DF34A9158F81
                                  Function 002ACE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,002BBE6A,?,?,00000000,?), ref: 002ACEA7
                                  • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,002BBE6A,?,?,00000000,?), ref: 002ACEB9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ErrorFormatLastMessage
                                  • String ID:
                                  • API String ID: 3479602957-0
                                  • Opcode ID: e96246e12afe1f91ee3c41093041f312f7739af7047c490d13d97b43f91287bd
                                  • Instruction ID: 0008cca48dd308ca55a684208a2fedfe580bcd32b2963b78932261a324a060db
                                  • Opcode Fuzzy Hash: e96246e12afe1f91ee3c41093041f312f7739af7047c490d13d97b43f91287bd
                                  • Instruction Fuzzy Hash: 33F08235110229ABDB10AFA4DC89FEA776DFF09351F008165F915D6181D6709A50CFA1
                                  Function 002A411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 002A4153
                                  • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 002A4166
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: InputSendkeybd_event
                                  • String ID:
                                  • API String ID: 3536248340-0
                                  • Opcode ID: 971612134d7f3e2ac1b1e115c8f08d50289cc83c4a2ec66aecc7fb85c14473e3
                                  • Instruction ID: 48bd093c35b9b1480bc4c23a107ddb85d71425ba33d956461497288535ca6268
                                  • Opcode Fuzzy Hash: 971612134d7f3e2ac1b1e115c8f08d50289cc83c4a2ec66aecc7fb85c14473e3
                                  • Instruction Fuzzy Hash: 6FF06D7081038DAFDB059FA0C849BBE7BB0EF01305F008409F9659A191D7B9C6129FA0
                                  Function 0029AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0029ACC0), ref: 0029AB99
                                  • CloseHandle.KERNEL32(?,?,0029ACC0), ref: 0029ABAB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AdjustCloseHandlePrivilegesToken
                                  • String ID:
                                  • API String ID: 81990902-0
                                  • Opcode ID: 6e7728ddb15c3d0b247d15ad33194f3a0ebf212a20fb3768ce55e30c806e3083
                                  • Instruction ID: 8f280e6737ef583e6aa0b980e5f5a4468f129dc0bdf97e4c9ddbdafeb7642a49
                                  • Opcode Fuzzy Hash: 6e7728ddb15c3d0b247d15ad33194f3a0ebf212a20fb3768ce55e30c806e3083
                                  • Instruction Fuzzy Hash: B2E0E671014611AFE7652F54FD09D7777EAEF04320750C469F45A85470D7725CA0DF51
                                  Function 002881AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00286DB3,-0000031A,?,?,00000001), ref: 002881B1
                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 002881BA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: 8040a243127686403959122fed83f88576229ad6de0f0bd7b58c958d67cb7fd5
                                  • Instruction ID: 82ee1010ca999eb86204c4ecd58e9876c03d8aab51173d2f9f330c52f320bf08
                                  • Opcode Fuzzy Hash: 8040a243127686403959122fed83f88576229ad6de0f0bd7b58c958d67cb7fd5
                                  • Instruction Fuzzy Hash: 04B092320C4648ABDB002BA1FC4DB597F68EB08652F004090F60D480A18B7354108E92
                                  Function 0028D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f6f5d437e57a238d919e67ac0105e156667d828fde7ecf6a20e96c4c9564c156
                                  • Instruction ID: 8daff9d198d9e3d799201c2fee29959ce7351936a9f8d7f1e9fe1382a8c7753f
                                  • Opcode Fuzzy Hash: f6f5d437e57a238d919e67ac0105e156667d828fde7ecf6a20e96c4c9564c156
                                  • Instruction Fuzzy Hash: 3D322425D3AF018DD723A634D826335A388AFB73D4F15D737E819B59EAEB28D4874200
                                  Function 002696C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __itow__swprintf
                                  • String ID:
                                  • API String ID: 674341424-0
                                  • Opcode ID: a49beccdb15e98fafe78a786a23c937a2b0c1aec0d11c779b0e0cb781e320307
                                  • Instruction ID: 7e20ee160c9c0e28486cf69f806261c6dea730ffa657ef614ead306fcf3b011b
                                  • Opcode Fuzzy Hash: a49beccdb15e98fafe78a786a23c937a2b0c1aec0d11c779b0e0cb781e320307
                                  • Instruction Fuzzy Hash: 2C228A715283029FD724DF14C891B6BB7E8AF84714F20491EF89A97291DB71EDA4CF82
                                  Function 0029038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 780786c73e0d81b2b6c00206a7593011c1149dc63c76e274b22e6489bb62302d
                                  • Instruction ID: d008039122f0ffa2117372d36b51dbba833cdc86de03fb027d85e680f37d4e5b
                                  • Opcode Fuzzy Hash: 780786c73e0d81b2b6c00206a7593011c1149dc63c76e274b22e6489bb62302d
                                  • Instruction Fuzzy Hash: 53B11620D2AF514DC72396399875336BA5C6FBB2E5F92D72BFC1674D22EB2185838180
                                  Function 002AB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  • __time64.LIBCMT ref: 002AB6DF
                                    • Part of subcall function 0028344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,002ABDC3,00000000,?,?,?,?,002ABF70,00000000,?), ref: 00283453
                                    • Part of subcall function 0028344A: __aulldiv.LIBCMT ref: 00283473
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Time$FileSystem__aulldiv__time64
                                  • String ID:
                                  • API String ID: 2893107130-0
                                  • Opcode ID: 987564f380eff7e3001997cbe6436f34052d05650086084ac11142a23e5ab4a1
                                  • Instruction ID: e29b675c98fb89f70006f280b2b355251ee4c7a650309b07daccd2446439c632
                                  • Opcode Fuzzy Hash: 987564f380eff7e3001997cbe6436f34052d05650086084ac11142a23e5ab4a1
                                  • Instruction Fuzzy Hash: 9821A5766345108BC72ACF28C881A92B7E5EB95710B248E7DE0E5CB2C1CB78BA15CB54
                                  Function 002B6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • BlockInput.USER32(00000001), ref: 002B6ACA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: BlockInput
                                  • String ID:
                                  • API String ID: 3456056419-0
                                  • Opcode ID: 142906180c6546ec97d614ee076d23ead9b88c968a3e6b75300d7f3a3cfbeac3
                                  • Instruction ID: fe98adfc3469a4dd593c214b0930809fd54ec2c8b972913c9d2c7cdbaedc54ee
                                  • Opcode Fuzzy Hash: 142906180c6546ec97d614ee076d23ead9b88c968a3e6b75300d7f3a3cfbeac3
                                  • Instruction Fuzzy Hash: 8AE01235260204AFD700EF59D848996B7EDAF74751F04C416E945D7251DAB4E8548B90
                                  Function 002A74BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 002A74DE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: mouse_event
                                  • String ID:
                                  • API String ID: 2434400541-0
                                  • Opcode ID: 44cb0d014c24a8cf9514f4f0f83ca3160513b45fc5cfb548ed659fc2df62c7ec
                                  • Instruction ID: 31da10288976b93a982dbea1f59b7a96d113f71b5c0d434cf49bb668ba1e4253
                                  • Opcode Fuzzy Hash: 44cb0d014c24a8cf9514f4f0f83ca3160513b45fc5cfb548ed659fc2df62c7ec
                                  • Instruction Fuzzy Hash: 0FD05EA517C3063BFC280B249C1FF760928F30A7C0FC08189B082C90C3BCD45822903A
                                  Function 0029B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                  Download Yara Rule
                                  APIs
                                  • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0029AD3E), ref: 0029B124
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: LogonUser
                                  • String ID:
                                  • API String ID: 1244722697-0
                                  • Opcode ID: c87a6d90140872eaa468a6cf0421d49b4a37b5e5d81f7bfa240465a2a7410dd4
                                  • Instruction ID: 531c6853dd4a517775cf87abb4a65d17d03143ea8980715d1ee04becaecba2ae
                                  • Opcode Fuzzy Hash: c87a6d90140872eaa468a6cf0421d49b4a37b5e5d81f7bfa240465a2a7410dd4
                                  • Instruction Fuzzy Hash: 69D05E320A464EAEDF024FA4EC06EAE3F6AEB04700F448110FA21C90A0C671D531AB50
                                  Function 002DB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: NameUser
                                  • String ID:
                                  • API String ID: 2645101109-0
                                  • Opcode ID: 457e5489fddaa75ca106554d29d61593cc5d190c63c4302192dba871fbad1f7d
                                  • Instruction ID: 9b206af0b733642c62c968ed6ef7d96d93619ebebddec2a5080bb678766e7683
                                  • Opcode Fuzzy Hash: 457e5489fddaa75ca106554d29d61593cc5d190c63c4302192dba871fbad1f7d
                                  • Instruction Fuzzy Hash: 21C04CB1410159DFC751CBC0D988EEEB7BCAB04301F1440929105F1110D7709B459B72
                                  Function 00288189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0028818F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: d6d8a984729f7f0bf2cf24407922c5be7084bec95dde4b9b47eae9f6ea968555
                                  • Instruction ID: 4a8fc2cb3282a4c8c4afbdd8ce5fc06fe7810fae7712fca5a84bfd82d8374eb9
                                  • Opcode Fuzzy Hash: d6d8a984729f7f0bf2cf24407922c5be7084bec95dde4b9b47eae9f6ea968555
                                  • Instruction Fuzzy Hash: B7A0113208020CAB8F002B82FC088883F2CEA002A0B0000A0F80C080208B32A8208A82
                                  Function 0026E3B0 Relevance: .5, Instructions: 540COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6cec4eca31c304b508d5ad0138783cd6a65bbff3ba1f387e6abac18ccd11d5f2
                                  • Instruction ID: 8770c18db65fe2607b874ec7620972991eee95e0078a72e9aca861568698d729
                                  • Opcode Fuzzy Hash: 6cec4eca31c304b508d5ad0138783cd6a65bbff3ba1f387e6abac18ccd11d5f2
                                  • Instruction Fuzzy Hash: 8A22C178924206CFDF24DF58C480AAEB7F1FF14304F15806AD94A9B391E775ADA1CB91
                                  Function 002693F0 Relevance: .5, Instructions: 531COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4b5adcbce2e612758f2753a3db32f1aba39c1cef427a4e10825e50908e698eda
                                  • Instruction ID: b96fb6a67abf55998645642432df0babf41c29c746fdd4c248c343bf2762ed4e
                                  • Opcode Fuzzy Hash: 4b5adcbce2e612758f2753a3db32f1aba39c1cef427a4e10825e50908e698eda
                                  • Instruction Fuzzy Hash: 50127B70A10209DFDF14DFA5D985AAEB7F9FF48300F208569E406E7250EB36ADA5CB50
                                  Function 0026AF50 Relevance: .5, Instructions: 514COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Exception@8Throwstd::exception::exception
                                  • String ID:
                                  • API String ID: 3728558374-0
                                  • Opcode ID: c277d708551b18c94818efba0a5c0c7e92d31284403eb1b8dbed288309004f8a
                                  • Instruction ID: 5bec9e545e9450ebc6df5aa36b6a4aa43da155e64ac896f0da03562ca0ef025c
                                  • Opcode Fuzzy Hash: c277d708551b18c94818efba0a5c0c7e92d31284403eb1b8dbed288309004f8a
                                  • Instruction Fuzzy Hash: C5029270A20205DBCF05DF64D9916AEBBB5EF58300F10C4AAE80ADB395EB31DD65CB91
                                  Function 002802A4 Relevance: .3, Instructions: 345COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                  • Instruction ID: 5f242d80d7baebe5a713540e6b2ec1633c2d0cc28400c2a312cb71320e457381
                                  • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                  • Instruction Fuzzy Hash: 96C1E83622A1930ADFAD4A39857443EBAA15E917B131A077DD8B7CB4D6FF20C538D720
                                  Function 002806D9 Relevance: .3, Instructions: 341COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                  • Instruction ID: 931416160a7f2a4bdf9a9f16ee47c01f26e4b9dfd95473055d2dc8d3d99bffbe
                                  • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                  • Instruction Fuzzy Hash: 89C1D63622A1930ADFAD4A39857443EFAA15A92BB131A077DD4B7CB4D6EF20C538D710
                                  Function 0027FA57 Relevance: .3, Instructions: 323COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                  • Instruction ID: fe7b0249c28bbc26ca1847661072d8771416050d63e718ca4c87f8fe5045d012
                                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                  • Instruction Fuzzy Hash: 86C1C73222D0930ADFAD4A39C63043EBAA15A917B531A877DD4BACB5D6EF30C534D620
                                  Function 01351148 Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063809334.000000000134D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_134d000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                  • Instruction ID: 2b0e83113e8910bb975bddbf0a0b254fd0556702eee70710ec845df0fa85f0c4
                                  • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                  • Instruction Fuzzy Hash: 7641D371D1051CEBDF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80
                                  Function 01351038 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063809334.000000000134D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_134d000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                  • Instruction ID: a90bf39f799918148933826810ab31a84344329f8d90bf2b270ffd3541c6e7bc
                                  • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                  • Instruction Fuzzy Hash: D9018079A01109EFCB88DF98C690DAEF7B5FB48714F208599EC09A7705D731AE41DB80
                                  Function 01350FD8 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063809334.000000000134D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_134d000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                  • Instruction ID: 389dbd975e54399f82b9e3ba10ccfcd0dcf39b4bb5d634e17d1f18734436deb6
                                  • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                  • Instruction Fuzzy Hash: 54019278A01149EFCB88DF98C690DAEF7B5FB48714F208599EC09A7705D731AE41DB80
                                  Function 0134F9A8 Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063809334.000000000134D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_134d000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                  • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                  • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                  • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                  Function 002BA2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteObject.GDI32(00000000), ref: 002BA2FE
                                  • DeleteObject.GDI32(00000000), ref: 002BA310
                                  • DestroyWindow.USER32 ref: 002BA31E
                                  • GetDesktopWindow.USER32 ref: 002BA338
                                  • GetWindowRect.USER32(00000000), ref: 002BA33F
                                  • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 002BA480
                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 002BA490
                                  • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002BA4D8
                                  • GetClientRect.USER32(00000000,?), ref: 002BA4E4
                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 002BA51E
                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002BA540
                                  • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002BA553
                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002BA55E
                                  • GlobalLock.KERNEL32(00000000), ref: 002BA567
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002BA576
                                  • GlobalUnlock.KERNEL32(00000000), ref: 002BA57F
                                  • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002BA586
                                  • GlobalFree.KERNEL32(00000000), ref: 002BA591
                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002BA5A3
                                  • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,002ED9BC,00000000), ref: 002BA5B9
                                  • GlobalFree.KERNEL32(00000000), ref: 002BA5C9
                                  • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 002BA5EF
                                  • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 002BA60E
                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002BA630
                                  • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002BA81D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                  • String ID: $AutoIt v3$DISPLAY$static
                                  • API String ID: 2211948467-2373415609
                                  • Opcode ID: 7bc3e3df4bbd78a458c51ccecf6b14e358d08e5ba606faf023b9e6a7bfab2019
                                  • Instruction ID: a857092cc8ab88891ca85401d078e764b1f9cfd20ae2a0407c4a4afae6a73899
                                  • Opcode Fuzzy Hash: 7bc3e3df4bbd78a458c51ccecf6b14e358d08e5ba606faf023b9e6a7bfab2019
                                  • Instruction Fuzzy Hash: 57028F71910249EFDB14DFA4DD89EAE7BB9FB48350F108158F905AB2A1CB70AD51CF60
                                  Function 002CD285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetTextColor.GDI32(?,00000000), ref: 002CD2DB
                                  • GetSysColorBrush.USER32(0000000F), ref: 002CD30C
                                  • GetSysColor.USER32(0000000F), ref: 002CD318
                                  • SetBkColor.GDI32(?,000000FF), ref: 002CD332
                                  • SelectObject.GDI32(?,00000000), ref: 002CD341
                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 002CD36C
                                  • GetSysColor.USER32(00000010), ref: 002CD374
                                  • CreateSolidBrush.GDI32(00000000), ref: 002CD37B
                                  • FrameRect.USER32(?,?,00000000), ref: 002CD38A
                                  • DeleteObject.GDI32(00000000), ref: 002CD391
                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 002CD3DC
                                  • FillRect.USER32(?,?,00000000), ref: 002CD40E
                                  • GetWindowLongW.USER32(?,000000F0), ref: 002CD439
                                    • Part of subcall function 002CD575: GetSysColor.USER32(00000012), ref: 002CD5AE
                                    • Part of subcall function 002CD575: SetTextColor.GDI32(?,?), ref: 002CD5B2
                                    • Part of subcall function 002CD575: GetSysColorBrush.USER32(0000000F), ref: 002CD5C8
                                    • Part of subcall function 002CD575: GetSysColor.USER32(0000000F), ref: 002CD5D3
                                    • Part of subcall function 002CD575: GetSysColor.USER32(00000011), ref: 002CD5F0
                                    • Part of subcall function 002CD575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 002CD5FE
                                    • Part of subcall function 002CD575: SelectObject.GDI32(?,00000000), ref: 002CD60F
                                    • Part of subcall function 002CD575: SetBkColor.GDI32(?,00000000), ref: 002CD618
                                    • Part of subcall function 002CD575: SelectObject.GDI32(?,?), ref: 002CD625
                                    • Part of subcall function 002CD575: InflateRect.USER32(?,000000FF,000000FF), ref: 002CD644
                                    • Part of subcall function 002CD575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002CD65B
                                    • Part of subcall function 002CD575: GetWindowLongW.USER32(00000000,000000F0), ref: 002CD670
                                    • Part of subcall function 002CD575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002CD698
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                  • String ID:
                                  • API String ID: 3521893082-0
                                  • Opcode ID: 307a7304b2b850c3ded4812b681d79a46909822d54e385c8b9f372479072dd72
                                  • Instruction ID: 8591a74415eb7ff52bd0dc08974edf7ee56f056bbe316550735746c56fc5957f
                                  • Opcode Fuzzy Hash: 307a7304b2b850c3ded4812b681d79a46909822d54e385c8b9f372479072dd72
                                  • Instruction Fuzzy Hash: 66918E71048341AFCB109F64EC88F6BBBA9FB85325F500A2DF9669A1A0D771E944CF52
                                  Function 0027B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DestroyWindow.USER32 ref: 0027B98B
                                  • DeleteObject.GDI32(00000000), ref: 0027B9CD
                                  • DeleteObject.GDI32(00000000), ref: 0027B9D8
                                  • DestroyIcon.USER32(00000000), ref: 0027B9E3
                                  • DestroyWindow.USER32(00000000), ref: 0027B9EE
                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 002DD2AA
                                  • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 002DD2E3
                                  • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 002DD711
                                    • Part of subcall function 0027B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0027B759,?,00000000,?,?,?,?,0027B72B,00000000,?), ref: 0027BA58
                                  • SendMessageW.USER32 ref: 002DD758
                                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 002DD76F
                                  • ImageList_Destroy.COMCTL32(00000000), ref: 002DD785
                                  • ImageList_Destroy.COMCTL32(00000000), ref: 002DD790
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                  • String ID: 0
                                  • API String ID: 464785882-4108050209
                                  • Opcode ID: d4de3d8f59234eb485b63f469324c5b5a8a202f09247a1214aa0100195d52108
                                  • Instruction ID: fc0f4c277f57b157f0b8f5578b32aca52f0b7496810700459c2698f7f554ed7d
                                  • Opcode Fuzzy Hash: d4de3d8f59234eb485b63f469324c5b5a8a202f09247a1214aa0100195d52108
                                  • Instruction Fuzzy Hash: B312AF30124642DFDB11DF24D888BA9B7E5FF45304F1485AAEA99CB252C731EC65CF91
                                  Function 002ADBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 002ADBD6
                                  • GetDriveTypeW.KERNEL32(?,002FDC54,?,\\.\,002FDC00), ref: 002ADCC3
                                  • SetErrorMode.KERNEL32(00000000,002FDC54,?,\\.\,002FDC00), ref: 002ADE29
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ErrorMode$DriveType
                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                  • API String ID: 2907320926-4222207086
                                  • Opcode ID: 1c4e247e340535b6c47d7ddb504840abf23fe9afac92be6f73cb7f53ebb4022a
                                  • Instruction ID: 4cec3f089ac58c62ba0b5ed1e645aff22fea1c0401cbb7c346617c16630dbd15
                                  • Opcode Fuzzy Hash: 1c4e247e340535b6c47d7ddb504840abf23fe9afac92be6f73cb7f53ebb4022a
                                  • Instruction Fuzzy Hash: 6751C431278702DB8708DF10C9818B9B7A1FB5E704B24881BF4479B691DFB0DAB5DB42
                                  Function 0026CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __wcsnicmp
                                  • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                  • API String ID: 1038674560-86951937
                                  • Opcode ID: 4920e072ff0fa66df3bb9b88b0e5102a80bdde9f91dcafc7d3db59f818b16c42
                                  • Instruction ID: 410c5702ba8c8739a644bcacd34ac7379d77d72fda7a50575ec6b6925358b1fd
                                  • Opcode Fuzzy Hash: 4920e072ff0fa66df3bb9b88b0e5102a80bdde9f91dcafc7d3db59f818b16c42
                                  • Instruction Fuzzy Hash: F181273167020AAEDB15BF64CC83FBE7769AF25340F104026F945AA1C2EA60D9B5CA91
                                  Function 002CC6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 002CC788
                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 002CC83E
                                  • SendMessageW.USER32(?,00001102,00000002,?), ref: 002CC859
                                  • SendMessageW.USER32(?,000000F1,?,00000000), ref: 002CCB15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window
                                  • String ID: 0
                                  • API String ID: 2326795674-4108050209
                                  • Opcode ID: b9cd4ba004a7ddfe92349785be87499cc39cd784531b6617dff1e2f40889b7c4
                                  • Instruction ID: 6b0b74ac1bb4240a4d384fde010f8a2ec50482ac50e852c30a843df65808cc01
                                  • Opcode Fuzzy Hash: b9cd4ba004a7ddfe92349785be87499cc39cd784531b6617dff1e2f40889b7c4
                                  • Instruction Fuzzy Hash: 36F1C171124342AFD7218F24D889FAABBE8FF49314F24072DF59C962A1C775C964CB91
                                  Function 002C638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                  Download Yara Rule
                                  APIs
                                  • CharUpperBuffW.USER32(?,?,002FDC00), ref: 002C6449
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: BuffCharUpper
                                  • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                  • API String ID: 3964851224-45149045
                                  • Opcode ID: 7a529aa58083f1599ef55f66a15eea3ec14dfe3d6079e34a74f66575b4e14f20
                                  • Instruction ID: 831c0a3bbfb4c1d48bdd15b5e32cce6c09735ec79480008b2ee89a136297568f
                                  • Opcode Fuzzy Hash: 7a529aa58083f1599ef55f66a15eea3ec14dfe3d6079e34a74f66575b4e14f20
                                  • Instruction Fuzzy Hash: 54C1B4342342068BCF05EF10C555FAEB799AF98744F10495DF8495B292DB31ED6ACF82
                                  Function 002CD575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSysColor.USER32(00000012), ref: 002CD5AE
                                  • SetTextColor.GDI32(?,?), ref: 002CD5B2
                                  • GetSysColorBrush.USER32(0000000F), ref: 002CD5C8
                                  • GetSysColor.USER32(0000000F), ref: 002CD5D3
                                  • CreateSolidBrush.GDI32(?), ref: 002CD5D8
                                  • GetSysColor.USER32(00000011), ref: 002CD5F0
                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 002CD5FE
                                  • SelectObject.GDI32(?,00000000), ref: 002CD60F
                                  • SetBkColor.GDI32(?,00000000), ref: 002CD618
                                  • SelectObject.GDI32(?,?), ref: 002CD625
                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 002CD644
                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002CD65B
                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 002CD670
                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002CD698
                                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 002CD6BF
                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 002CD6DD
                                  • DrawFocusRect.USER32(?,?), ref: 002CD6E8
                                  • GetSysColor.USER32(00000011), ref: 002CD6F6
                                  • SetTextColor.GDI32(?,00000000), ref: 002CD6FE
                                  • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 002CD712
                                  • SelectObject.GDI32(?,002CD2A5), ref: 002CD729
                                  • DeleteObject.GDI32(?), ref: 002CD734
                                  • SelectObject.GDI32(?,?), ref: 002CD73A
                                  • DeleteObject.GDI32(?), ref: 002CD73F
                                  • SetTextColor.GDI32(?,?), ref: 002CD745
                                  • SetBkColor.GDI32(?,?), ref: 002CD74F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                  • String ID:
                                  • API String ID: 1996641542-0
                                  • Opcode ID: b7781acaab7ff0be56248dc95ef9488ca7492f571f3902b5d7575b8f26cd91a3
                                  • Instruction ID: 7e645c2aea4070c1f0ae48f583e079a5a5796803ccc8b1356dc0744b7a91acb6
                                  • Opcode Fuzzy Hash: b7781acaab7ff0be56248dc95ef9488ca7492f571f3902b5d7575b8f26cd91a3
                                  • Instruction Fuzzy Hash: 9A513B71940248AFDF109FA4EC88EAEBB79EB08320F214515F915AF2A1D7719A40CF50
                                  Function 002CB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 002CB7B0
                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002CB7C1
                                  • CharNextW.USER32(0000014E), ref: 002CB7F0
                                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 002CB831
                                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 002CB847
                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002CB858
                                  • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 002CB875
                                  • SetWindowTextW.USER32(?,0000014E), ref: 002CB8C7
                                  • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 002CB8DD
                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 002CB90E
                                  • _memset.LIBCMT ref: 002CB933
                                  • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 002CB97C
                                  • _memset.LIBCMT ref: 002CB9DB
                                  • SendMessageW.USER32 ref: 002CBA05
                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 002CBA5D
                                  • SendMessageW.USER32(?,0000133D,?,?), ref: 002CBB0A
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 002CBB2C
                                  • GetMenuItemInfoW.USER32(?), ref: 002CBB76
                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002CBBA3
                                  • DrawMenuBar.USER32(?), ref: 002CBBB2
                                  • SetWindowTextW.USER32(?,0000014E), ref: 002CBBDA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                  • String ID: 0
                                  • API String ID: 1073566785-4108050209
                                  • Opcode ID: 16cea9be84c00b9a4cb6d11405bd599cfaa97b02043f881db1d1a7ad45384e1c
                                  • Instruction ID: 38b45ccb8d8ed789e71f21c5ee5237ebe95f3be19d1d14f2774f89c47a9435a4
                                  • Opcode Fuzzy Hash: 16cea9be84c00b9a4cb6d11405bd599cfaa97b02043f881db1d1a7ad45384e1c
                                  • Instruction Fuzzy Hash: 44E1C075910219ABDF229F61DC8AFEEBB78FF04714F10825AF919AB190D7708A51CF60
                                  Function 00262EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$Foreground
                                  • String ID: ACTIVE$ALL$CLASS$H+1$HANDLE$INSTANCE$L+1$LAST$P+1$REGEXPCLASS$REGEXPTITLE$T+1$TITLE
                                  • API String ID: 62970417-534164068
                                  • Opcode ID: 1a2492445f051353122e98eef3c34e66954d64b9837842f49a343b6369564d48
                                  • Instruction ID: a7cece44fa2986b8d32042867a313c743fdec6a47cfc6bb5a521bcd994d0664d
                                  • Opcode Fuzzy Hash: 1a2492445f051353122e98eef3c34e66954d64b9837842f49a343b6369564d48
                                  • Instruction Fuzzy Hash: F3D1B530128643DBCB05EF10C4859AABBA8BF64344F10895EF459576A1DB70EDBECF91
                                  Function 002C764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 002C778A
                                  • GetDesktopWindow.USER32 ref: 002C779F
                                  • GetWindowRect.USER32(00000000), ref: 002C77A6
                                  • GetWindowLongW.USER32(?,000000F0), ref: 002C7808
                                  • DestroyWindow.USER32(?), ref: 002C7834
                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002C785D
                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002C787B
                                  • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 002C78A1
                                  • SendMessageW.USER32(?,00000421,?,?), ref: 002C78B6
                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 002C78C9
                                  • IsWindowVisible.USER32(?), ref: 002C78E9
                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 002C7904
                                  • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 002C7918
                                  • GetWindowRect.USER32(?,?), ref: 002C7930
                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 002C7956
                                  • GetMonitorInfoW.USER32 ref: 002C7970
                                  • CopyRect.USER32(?,?), ref: 002C7987
                                  • SendMessageW.USER32(?,00000412,00000000), ref: 002C79F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                  • String ID: ($0$tooltips_class32
                                  • API String ID: 698492251-4156429822
                                  • Opcode ID: 44d16339f69af9351f731ae81bdc9cf0f939cc4cbe3662dad0852acb9c4d8843
                                  • Instruction ID: 615b50ae8b8832f2cac2c32ca133b2687eba3f0c1233035aae33395e797612c5
                                  • Opcode Fuzzy Hash: 44d16339f69af9351f731ae81bdc9cf0f939cc4cbe3662dad0852acb9c4d8843
                                  • Instruction Fuzzy Hash: 43B17B71628341AFDB04DF64D889F6ABBE4BF88310F008A1DF5999B291D770E854CF92
                                  Function 002A6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileVersionInfoSizeW.VERSION(?,?), ref: 002A6CFB
                                  • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 002A6D21
                                  • _wcscpy.LIBCMT ref: 002A6D4F
                                  • _wcscmp.LIBCMT ref: 002A6D5A
                                  • _wcscat.LIBCMT ref: 002A6D70
                                  • _wcsstr.LIBCMT ref: 002A6D7B
                                  • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 002A6D97
                                  • _wcscat.LIBCMT ref: 002A6DE0
                                  • _wcscat.LIBCMT ref: 002A6DE7
                                  • _wcsncpy.LIBCMT ref: 002A6E12
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                  • API String ID: 699586101-1459072770
                                  • Opcode ID: b96f320dc48bb777a1774669071b1bf28b1fa2965ab870699efb091738b0d87e
                                  • Instruction ID: ae621b59fac157d540f068fa86a7f7acca97b6f0640a7fd0b096d5d1586a919b
                                  • Opcode Fuzzy Hash: b96f320dc48bb777a1774669071b1bf28b1fa2965ab870699efb091738b0d87e
                                  • Instruction Fuzzy Hash: C8410676621205BBEB00BB64DD87EBF777CDF06310F040026F905A61C2EF749A258B61
                                  Function 0027A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0027A939
                                  • GetSystemMetrics.USER32(00000007), ref: 0027A941
                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0027A96C
                                  • GetSystemMetrics.USER32(00000008), ref: 0027A974
                                  • GetSystemMetrics.USER32(00000004), ref: 0027A999
                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0027A9B6
                                  • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0027A9C6
                                  • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0027A9F9
                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0027AA0D
                                  • GetClientRect.USER32(00000000,000000FF), ref: 0027AA2B
                                  • GetStockObject.GDI32(00000011), ref: 0027AA47
                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 0027AA52
                                    • Part of subcall function 0027B63C: GetCursorPos.USER32(000000FF), ref: 0027B64F
                                    • Part of subcall function 0027B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0027B66C
                                    • Part of subcall function 0027B63C: GetAsyncKeyState.USER32(00000001), ref: 0027B691
                                    • Part of subcall function 0027B63C: GetAsyncKeyState.USER32(00000002), ref: 0027B69F
                                  • SetTimer.USER32(00000000,00000000,00000028,0027AB87), ref: 0027AA79
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                  • String ID: AutoIt v3 GUI
                                  • API String ID: 1458621304-248962490
                                  • Opcode ID: f8e5f2b986636d46692f08397b9bda2ccb3107329422bc3c7ce84ecffe437f8f
                                  • Instruction ID: 4ce9eb4834f08e5c1c8c6d81d881e9a6a011128f1b4c0e142fc6ba92823bb304
                                  • Opcode Fuzzy Hash: f8e5f2b986636d46692f08397b9bda2ccb3107329422bc3c7ce84ecffe437f8f
                                  • Instruction Fuzzy Hash: 47B1A07165020ADFDB14DFA8DD89BAD7BB4FB48324F118229FA09AB290D770D861CF51
                                  Function 002C3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002C3735
                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,002FDC00,00000000,?,00000000,?,?), ref: 002C37A3
                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 002C37EB
                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 002C3874
                                  • RegCloseKey.ADVAPI32(?), ref: 002C3B94
                                  • RegCloseKey.ADVAPI32(00000000), ref: 002C3BA1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Close$ConnectCreateRegistryValue
                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                  • API String ID: 536824911-966354055
                                  • Opcode ID: 9e619b56432305073726157af8b9254ee19725082596600e121bd4255526fc9b
                                  • Instruction ID: 44e3889af46d4fdfc1b77ec8f12adcc20cc3d7d90a11ea25d5c403c3067067dd
                                  • Opcode Fuzzy Hash: 9e619b56432305073726157af8b9254ee19725082596600e121bd4255526fc9b
                                  • Instruction Fuzzy Hash: 3E0237752206019FCB14EF14C885E2AB7E5FF88724F14895DF98A9B3A1CB30ED65CB81
                                  Function 002C6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CharUpperBuffW.USER32(?,?), ref: 002C6C56
                                  • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002C6D16
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: BuffCharMessageSendUpper
                                  • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                  • API String ID: 3974292440-719923060
                                  • Opcode ID: 6ffa7378ef6babdc52092ee6fee580507c44d38ca825c15028bfd719aeab06da
                                  • Instruction ID: a7d1c196ad60ad7c056b7d156249b7b0420278e640ddd1c6b658aa7e8470e037
                                  • Opcode Fuzzy Hash: 6ffa7378ef6babdc52092ee6fee580507c44d38ca825c15028bfd719aeab06da
                                  • Instruction Fuzzy Hash: 13A190342342419BCB15EF10C955F6AB3A5BF48314F108A6EB85A5B3D2DB70EC6ACB51
                                  Function 0029CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClassNameW.USER32(?,?,00000100), ref: 0029CF91
                                  • __swprintf.LIBCMT ref: 0029D032
                                  • _wcscmp.LIBCMT ref: 0029D045
                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0029D09A
                                  • _wcscmp.LIBCMT ref: 0029D0D6
                                  • GetClassNameW.USER32(?,?,00000400), ref: 0029D10D
                                  • GetDlgCtrlID.USER32(?), ref: 0029D15F
                                  • GetWindowRect.USER32(?,?), ref: 0029D195
                                  • GetParent.USER32(?), ref: 0029D1B3
                                  • ScreenToClient.USER32(00000000), ref: 0029D1BA
                                  • GetClassNameW.USER32(?,?,00000100), ref: 0029D234
                                  • _wcscmp.LIBCMT ref: 0029D248
                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0029D26E
                                  • _wcscmp.LIBCMT ref: 0029D282
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                  • String ID: %s%u
                                  • API String ID: 3119225716-679674701
                                  • Opcode ID: d3eb87f88416f76d7fa44aa40fbd01b4ef9185edb7cf827f699d385b6dd8d67e
                                  • Instruction ID: a1e1d6da8773ae33fcff90ff559b7c7b41e9e4ca3622ae1c894c35a73c2a7ffa
                                  • Opcode Fuzzy Hash: d3eb87f88416f76d7fa44aa40fbd01b4ef9185edb7cf827f699d385b6dd8d67e
                                  • Instruction Fuzzy Hash: A5A1E131624303AFDB14DF64C884BAAB7A8FF44304F10891AFD99D3181DB30E966DBA1
                                  Function 0029D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClassNameW.USER32(00000008,?,00000400), ref: 0029D8EB
                                  • _wcscmp.LIBCMT ref: 0029D8FC
                                  • GetWindowTextW.USER32(00000001,?,00000400), ref: 0029D924
                                  • CharUpperBuffW.USER32(?,00000000), ref: 0029D941
                                  • _wcscmp.LIBCMT ref: 0029D95F
                                  • _wcsstr.LIBCMT ref: 0029D970
                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 0029D9A8
                                  • _wcscmp.LIBCMT ref: 0029D9B8
                                  • GetWindowTextW.USER32(00000002,?,00000400), ref: 0029D9DF
                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 0029DA28
                                  • _wcscmp.LIBCMT ref: 0029DA38
                                  • GetClassNameW.USER32(00000010,?,00000400), ref: 0029DA60
                                  • GetWindowRect.USER32(00000004,?), ref: 0029DAC9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                  • String ID: @$ThumbnailClass
                                  • API String ID: 1788623398-1539354611
                                  • Opcode ID: cfe31f9b4ead8f7d5b0d498faf88026d3b042e1175539bb5882b0c5b2cd38ba3
                                  • Instruction ID: 1e057ea349c73cc4312686fccf63d7a215d8cc5015f7516b33f596205771265e
                                  • Opcode Fuzzy Hash: cfe31f9b4ead8f7d5b0d498faf88026d3b042e1175539bb5882b0c5b2cd38ba3
                                  • Instruction Fuzzy Hash: F181C2310283469FDF05DF10D885FAA7BE8EF44318F04446AFD899A096DB30ED66DBA1
                                  Function 0029D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __wcsnicmp
                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                  • API String ID: 1038674560-1810252412
                                  • Opcode ID: a0bcc6e442b40956c15815e688d1b2e4da855c43ad04eaabeddf14d0f0275710
                                  • Instruction ID: cc3fbd42d3b0c8bb2395fd4bc4693519da35a759ea1bd96887946b09b8c98deb
                                  • Opcode Fuzzy Hash: a0bcc6e442b40956c15815e688d1b2e4da855c43ad04eaabeddf14d0f0275710
                                  • Instruction Fuzzy Hash: CC31C135A68205AADF19FF90CD83EEEB3649F24304F700128F441B10D2EB91AEB4DA51
                                  Function 0029EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadIconW.USER32(00000063), ref: 0029EAB0
                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0029EAC2
                                  • SetWindowTextW.USER32(?,?), ref: 0029EAD9
                                  • GetDlgItem.USER32(?,000003EA), ref: 0029EAEE
                                  • SetWindowTextW.USER32(00000000,?), ref: 0029EAF4
                                  • GetDlgItem.USER32(?,000003E9), ref: 0029EB04
                                  • SetWindowTextW.USER32(00000000,?), ref: 0029EB0A
                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0029EB2B
                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0029EB45
                                  • GetWindowRect.USER32(?,?), ref: 0029EB4E
                                  • SetWindowTextW.USER32(?,?), ref: 0029EBB9
                                  • GetDesktopWindow.USER32 ref: 0029EBBF
                                  • GetWindowRect.USER32(00000000), ref: 0029EBC6
                                  • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0029EC12
                                  • GetClientRect.USER32(?,?), ref: 0029EC1F
                                  • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0029EC44
                                  • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0029EC6F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                  • String ID:
                                  • API String ID: 3869813825-0
                                  • Opcode ID: 0252494d387576db4f4b578ea9b58039f2f25f1ad860083138b79a56002598fc
                                  • Instruction ID: 83a4245ba9cfd352019f5fdfdd676c1facfda0c5a8f83c154e39274003984a11
                                  • Opcode Fuzzy Hash: 0252494d387576db4f4b578ea9b58039f2f25f1ad860083138b79a56002598fc
                                  • Instruction Fuzzy Hash: 6A514F7190070AAFDF21DFA8DD89B6EBBF9FF04704F014928E596A66A0C774A954CF10
                                  Function 002B79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 002B79C6
                                  • LoadCursorW.USER32(00000000,00007F00), ref: 002B79D1
                                  • LoadCursorW.USER32(00000000,00007F03), ref: 002B79DC
                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 002B79E7
                                  • LoadCursorW.USER32(00000000,00007F01), ref: 002B79F2
                                  • LoadCursorW.USER32(00000000,00007F81), ref: 002B79FD
                                  • LoadCursorW.USER32(00000000,00007F88), ref: 002B7A08
                                  • LoadCursorW.USER32(00000000,00007F80), ref: 002B7A13
                                  • LoadCursorW.USER32(00000000,00007F86), ref: 002B7A1E
                                  • LoadCursorW.USER32(00000000,00007F83), ref: 002B7A29
                                  • LoadCursorW.USER32(00000000,00007F85), ref: 002B7A34
                                  • LoadCursorW.USER32(00000000,00007F82), ref: 002B7A3F
                                  • LoadCursorW.USER32(00000000,00007F84), ref: 002B7A4A
                                  • LoadCursorW.USER32(00000000,00007F04), ref: 002B7A55
                                  • LoadCursorW.USER32(00000000,00007F02), ref: 002B7A60
                                  • LoadCursorW.USER32(00000000,00007F89), ref: 002B7A6B
                                  • GetCursorInfo.USER32(?), ref: 002B7A7B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Cursor$Load$Info
                                  • String ID:
                                  • API String ID: 2577412497-0
                                  • Opcode ID: 314828020c7293193cfc67b2a292163bf03d567bc2f9af264e45a20021edc327
                                  • Instruction ID: 2d58c3e17fc0042be36190424e0a6c5f301570dec45568a0fda36818aa5b7119
                                  • Opcode Fuzzy Hash: 314828020c7293193cfc67b2a292163bf03d567bc2f9af264e45a20021edc327
                                  • Instruction Fuzzy Hash: 1F313AB0D4831A6ADB509FB68C8999FBFE8FF44750F50452BE50DE7280DA78A5008FA1
                                  Function 0026C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0026C8B7,?,00002000,?,?,00000000,?,0026419E,?,?,?,002FDC00), ref: 0027E984
                                    • Part of subcall function 0026660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002653B1,?,?,002661FF,?,00000000,00000001,00000000), ref: 0026662F
                                  • __wsplitpath.LIBCMT ref: 0026C93E
                                    • Part of subcall function 00281DFC: __wsplitpath_helper.LIBCMT ref: 00281E3C
                                  • _wcscpy.LIBCMT ref: 0026C953
                                  • _wcscat.LIBCMT ref: 0026C968
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0026C978
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0026CABE
                                    • Part of subcall function 0026B337: _wcscpy.LIBCMT ref: 0026B36F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                  • API String ID: 2258743419-1018226102
                                  • Opcode ID: b3092df425b274aad82a1a218cc6b9b1e8db5a03dd3ad2163481dc78d4b700da
                                  • Instruction ID: d84c13d247e16f1e7d5bf0b3fcfb62ef6c5ffff0db4bb430a28320aebf7225fe
                                  • Opcode Fuzzy Hash: b3092df425b274aad82a1a218cc6b9b1e8db5a03dd3ad2163481dc78d4b700da
                                  • Instruction Fuzzy Hash: 2C128A715283419FC724EF24C881AAFBBE5AF99304F50491EF5C993291DB30DAA9CF52
                                  Function 002CCE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 002CCEFB
                                  • DestroyWindow.USER32(?,?), ref: 002CCF73
                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 002CCFF4
                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002CD016
                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002CD025
                                  • DestroyWindow.USER32(?), ref: 002CD042
                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00260000,00000000), ref: 002CD075
                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002CD094
                                  • GetDesktopWindow.USER32 ref: 002CD0A9
                                  • GetWindowRect.USER32(00000000), ref: 002CD0B0
                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002CD0C2
                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 002CD0DA
                                    • Part of subcall function 0027B526: GetWindowLongW.USER32(?,000000EB), ref: 0027B537
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                  • String ID: 0$tooltips_class32
                                  • API String ID: 3877571568-3619404913
                                  • Opcode ID: 5b9dc74aa81c9cb46f755f43cbd4a661854d3803e3f5a9323df5a0a8327d487e
                                  • Instruction ID: 4259bc1779fa8605225bd5c52754189bf965a4614caeebc4507be65bb437b3db
                                  • Opcode Fuzzy Hash: 5b9dc74aa81c9cb46f755f43cbd4a661854d3803e3f5a9323df5a0a8327d487e
                                  • Instruction Fuzzy Hash: B871E074160346AFD721CF28DC85FAA77E9EB88704F14462EF9858B2A1D770E952CB12
                                  Function 002CF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027B34E: GetWindowLongW.USER32(?,000000EB), ref: 0027B35F
                                  • DragQueryPoint.SHELL32(?,?), ref: 002CF37A
                                    • Part of subcall function 002CD7DE: ClientToScreen.USER32(?,?), ref: 002CD807
                                    • Part of subcall function 002CD7DE: GetWindowRect.USER32(?,?), ref: 002CD87D
                                    • Part of subcall function 002CD7DE: PtInRect.USER32(?,?,002CED5A), ref: 002CD88D
                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 002CF3E3
                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002CF3EE
                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002CF411
                                  • _wcscat.LIBCMT ref: 002CF441
                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 002CF458
                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 002CF471
                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 002CF488
                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 002CF4AA
                                  • DragFinish.SHELL32(?), ref: 002CF4B1
                                  • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 002CF59C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                  • API String ID: 169749273-3440237614
                                  • Opcode ID: 228f17af2c89dbeab266d61789a4597772fa2a75e78c6fc8fbdf64f6053d61db
                                  • Instruction ID: 9a7a8b632d40fad1fc06b808e33dd6e6ca2dc2d96a40023d0e3b209b9ac287b7
                                  • Opcode Fuzzy Hash: 228f17af2c89dbeab266d61789a4597772fa2a75e78c6fc8fbdf64f6053d61db
                                  • Instruction Fuzzy Hash: 5C616B71108300AFC715EF60DC89EAFBBF8EF98714F000A1EF695961A1DB709A59CB52
                                  Function 002AAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VariantInit.OLEAUT32(00000000), ref: 002AAB3D
                                  • VariantCopy.OLEAUT32(?,?), ref: 002AAB46
                                  • VariantClear.OLEAUT32(?), ref: 002AAB52
                                  • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002AAC40
                                  • __swprintf.LIBCMT ref: 002AAC70
                                  • VarR8FromDec.OLEAUT32(?,?), ref: 002AAC9C
                                  • VariantInit.OLEAUT32(?), ref: 002AAD4D
                                  • SysFreeString.OLEAUT32(00000016), ref: 002AADDF
                                  • VariantClear.OLEAUT32(?), ref: 002AAE35
                                  • VariantClear.OLEAUT32(?), ref: 002AAE44
                                  • VariantInit.OLEAUT32(00000000), ref: 002AAE80
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                  • String ID: %4d%02d%02d%02d%02d%02d$Default
                                  • API String ID: 3730832054-3931177956
                                  • Opcode ID: bf780c538fccb5137a04c0fff479c171804c3618c0f6b8adafc66006c1ab3d77
                                  • Instruction ID: bf1125642209b546302fd8576a4498353f9c56bc3aa72f01c410ca07bc1b9236
                                  • Opcode Fuzzy Hash: bf780c538fccb5137a04c0fff479c171804c3618c0f6b8adafc66006c1ab3d77
                                  • Instruction Fuzzy Hash: 5FD1E271A24206DBDB209F69D885B6EB7B5FF06700F148865E4059B1C0DFB0ECB0DBA2
                                  Function 002C716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CharUpperBuffW.USER32(?,?), ref: 002C71FC
                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002C7247
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: BuffCharMessageSendUpper
                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                  • API String ID: 3974292440-4258414348
                                  • Opcode ID: 44cbf7fc0ac311e71519438b06ec5b6a4a1e6bf22a65d103125544eba9d1f4ab
                                  • Instruction ID: 5966bfb0628544035799d3ca45b439e5c4a17cb7d561a067b4b8af545aa39e93
                                  • Opcode Fuzzy Hash: 44cbf7fc0ac311e71519438b06ec5b6a4a1e6bf22a65d103125544eba9d1f4ab
                                  • Instruction Fuzzy Hash: 7F9182342247019BCF05EF10C441A6EB7A9BF98310F15899DF89A5B392DB70ED66CF91
                                  Function 0029CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnumChildWindows.USER32(?,0029CF50), ref: 0029CE90
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ChildEnumWindows
                                  • String ID: 4+1$CLASS$CLASSNN$H+1$INSTANCE$L+1$NAME$P+1$REGEXPCLASS$T+1$TEXT
                                  • API String ID: 3555792229-4032195090
                                  • Opcode ID: 838bb7eac1d7b89bded62c654eabc38e5ca3d314ac962a463f15aefc5ec16387
                                  • Instruction ID: e9096c4ea85d0a07a39fd86a528e6a4638b55db5541e49e7f20dd9ac7dcae12e
                                  • Opcode Fuzzy Hash: 838bb7eac1d7b89bded62c654eabc38e5ca3d314ac962a463f15aefc5ec16387
                                  • Instruction Fuzzy Hash: 6E91A7346245069BCF19DF60C481BEAFB79BF04300F60855AD98EA7191DF7069BADBE0
                                  Function 002CE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002CE5AB
                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,002CBEAF), ref: 002CE607
                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002CE647
                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002CE68C
                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002CE6C3
                                  • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,002CBEAF), ref: 002CE6CF
                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002CE6DF
                                  • DestroyIcon.USER32(?,?,?,?,?,002CBEAF), ref: 002CE6EE
                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 002CE70B
                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 002CE717
                                    • Part of subcall function 00280FA7: __wcsicmp_l.LIBCMT ref: 00281030
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                  • String ID: .dll$.exe$.icl
                                  • API String ID: 1212759294-1154884017
                                  • Opcode ID: 4ee99ddd040497fa67674804f06d2a493c97c3f78c934e6d3639e466963b1791
                                  • Instruction ID: d815614b4fd278d1691774e405477e4ec5de467ef785846b3efd0cec028dba89
                                  • Opcode Fuzzy Hash: 4ee99ddd040497fa67674804f06d2a493c97c3f78c934e6d3639e466963b1791
                                  • Instruction Fuzzy Hash: 4C61D371560255BAEF24DF64DC85FFE7BACBB18714F204209F915DA0D0EB7099A0CBA0
                                  Function 002AD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0026936C: __swprintf.LIBCMT ref: 002693AB
                                    • Part of subcall function 0026936C: __itow.LIBCMT ref: 002693DF
                                  • CharLowerBuffW.USER32(?,?), ref: 002AD292
                                  • GetDriveTypeW.KERNEL32 ref: 002AD2DF
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002AD327
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002AD35E
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002AD38C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                  • API String ID: 1148790751-4113822522
                                  • Opcode ID: 3b6a852839d647c91f8fe98ac897d3233efaead07147e10dc3cc213715d2cf28
                                  • Instruction ID: 3e7268b220acdc65c46a7ad0ad7dd7b832e736c6f6133fdf788d27d000aa2c4a
                                  • Opcode Fuzzy Hash: 3b6a852839d647c91f8fe98ac897d3233efaead07147e10dc3cc213715d2cf28
                                  • Instruction Fuzzy Hash: 2F515B751143059FC705EF10C8819AEB7E8EF99718F10885DF88AA7261DB31EE59CF52
                                  Function 002A26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,002D3973,00000016,0000138C,00000016,?,00000016,002FDDB4,00000000,?), ref: 002A26F1
                                  • LoadStringW.USER32(00000000,?,002D3973,00000016), ref: 002A26FA
                                  • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,002D3973,00000016,0000138C,00000016,?,00000016,002FDDB4,00000000,?,00000016), ref: 002A271C
                                  • LoadStringW.USER32(00000000,?,002D3973,00000016), ref: 002A271F
                                  • __swprintf.LIBCMT ref: 002A276F
                                  • __swprintf.LIBCMT ref: 002A2780
                                  • _wprintf.LIBCMT ref: 002A2829
                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 002A2840
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                  • API String ID: 618562835-2268648507
                                  • Opcode ID: 00f516528f9d5cd55e71cb6e44e9747cac9c7d2ed52258d2c2b4249845d3e784
                                  • Instruction ID: e78c5294d4f0013eac70e3633419c0d6975e31109d915daeddd17a5b451f483a
                                  • Opcode Fuzzy Hash: 00f516528f9d5cd55e71cb6e44e9747cac9c7d2ed52258d2c2b4249845d3e784
                                  • Instruction Fuzzy Hash: 41414B72810218AACB15FBE0DD86EEEB778AF19340F100065B50576092EA756FA9CF60
                                  Function 002AD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002AD0D8
                                  • __swprintf.LIBCMT ref: 002AD0FA
                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 002AD137
                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 002AD15C
                                  • _memset.LIBCMT ref: 002AD17B
                                  • _wcsncpy.LIBCMT ref: 002AD1B7
                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 002AD1EC
                                  • CloseHandle.KERNEL32(00000000), ref: 002AD1F7
                                  • RemoveDirectoryW.KERNEL32(?), ref: 002AD200
                                  • CloseHandle.KERNEL32(00000000), ref: 002AD20A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                  • String ID: :$\$\??\%s
                                  • API String ID: 2733774712-3457252023
                                  • Opcode ID: 104a506bed9229c0c303e10868750a5c47e62fd02c0b03282c8d39ef9e67761e
                                  • Instruction ID: 37f1f9d3e4051310cf0c68b638c1806d5fcb6ca1f9f56da0990f654ff311defb
                                  • Opcode Fuzzy Hash: 104a506bed9229c0c303e10868750a5c47e62fd02c0b03282c8d39ef9e67761e
                                  • Instruction Fuzzy Hash: AF31C3B655010AABDB21DFA0DC88FEB37BCEF89700F1040B6F909D60A1EB7096548B24
                                  Function 002CE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,002CBEF4,?,?), ref: 002CE754
                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,002CBEF4,?,?,00000000,?), ref: 002CE76B
                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,002CBEF4,?,?,00000000,?), ref: 002CE776
                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,002CBEF4,?,?,00000000,?), ref: 002CE783
                                  • GlobalLock.KERNEL32(00000000), ref: 002CE78C
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,002CBEF4,?,?,00000000,?), ref: 002CE79B
                                  • GlobalUnlock.KERNEL32(00000000), ref: 002CE7A4
                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,002CBEF4,?,?,00000000,?), ref: 002CE7AB
                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,002CBEF4,?,?,00000000,?), ref: 002CE7BC
                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,002ED9BC,?), ref: 002CE7D5
                                  • GlobalFree.KERNEL32(00000000), ref: 002CE7E5
                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 002CE809
                                  • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 002CE834
                                  • DeleteObject.GDI32(00000000), ref: 002CE85C
                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002CE872
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                  • String ID:
                                  • API String ID: 3840717409-0
                                  • Opcode ID: f93cdcf36b8024019be37b8b1e3110f3ff2b81b7897af687150d3d084729e930
                                  • Instruction ID: 5391aaabe7539668198d2bcf427dc1c1fa10a5948d565842fa7b73d5f03a2fc7
                                  • Opcode Fuzzy Hash: f93cdcf36b8024019be37b8b1e3110f3ff2b81b7897af687150d3d084729e930
                                  • Instruction Fuzzy Hash: FF415875640245FFDB119F65EC8CEAABBB8EF89711F108558F90ADB2A0C731AD41DB20
                                  Function 002B05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                  Download Yara Rule
                                  APIs
                                  • __wsplitpath.LIBCMT ref: 002B076F
                                  • _wcscat.LIBCMT ref: 002B0787
                                  • _wcscat.LIBCMT ref: 002B0799
                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002B07AE
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 002B07C2
                                  • GetFileAttributesW.KERNEL32(?), ref: 002B07DA
                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 002B07F4
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 002B0806
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                  • String ID: *.*
                                  • API String ID: 34673085-438819550
                                  • Opcode ID: 74ea33f47339293c14ba94b8377046847515299d3d46ebc1a297540bd3189db0
                                  • Instruction ID: bf65f3d5bb3926de6c64a8442c049885135334294c02caeb9d8c14cc93e1d429
                                  • Opcode Fuzzy Hash: 74ea33f47339293c14ba94b8377046847515299d3d46ebc1a297540bd3189db0
                                  • Instruction Fuzzy Hash: 038193715243419FCB25DF24C4C59AFB7D8BBD8384F14882EF889D7251EA70E9648F52
                                  Function 002CEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027B34E: GetWindowLongW.USER32(?,000000EB), ref: 0027B35F
                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002CEF3B
                                  • GetFocus.USER32 ref: 002CEF4B
                                  • GetDlgCtrlID.USER32(00000000), ref: 002CEF56
                                  • _memset.LIBCMT ref: 002CF081
                                  • GetMenuItemInfoW.USER32 ref: 002CF0AC
                                  • GetMenuItemCount.USER32(00000000), ref: 002CF0CC
                                  • GetMenuItemID.USER32(?,00000000), ref: 002CF0DF
                                  • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 002CF113
                                  • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 002CF15B
                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002CF193
                                  • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 002CF1C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                  • String ID: 0
                                  • API String ID: 1296962147-4108050209
                                  • Opcode ID: c4d5a302bed11ace1f036874ad33aaa6f1dc389a62ce9fe4605fa14422a30296
                                  • Instruction ID: 379cbe998682e9fffcf690d5f749ebb37f246d5f9b397a3ded1d1362ceaaae76
                                  • Opcode Fuzzy Hash: c4d5a302bed11ace1f036874ad33aaa6f1dc389a62ce9fe4605fa14422a30296
                                  • Instruction Fuzzy Hash: 77819E70524302AFDB20CF14D984EABBBEAFB88314F14462EF99897291D771D915CF92
                                  Function 0029A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0029ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0029ABD7
                                    • Part of subcall function 0029ABBB: GetLastError.KERNEL32(?,0029A69F,?,?,?), ref: 0029ABE1
                                    • Part of subcall function 0029ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0029A69F,?,?,?), ref: 0029ABF0
                                    • Part of subcall function 0029ABBB: HeapAlloc.KERNEL32(00000000,?,0029A69F,?,?,?), ref: 0029ABF7
                                    • Part of subcall function 0029ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0029AC0E
                                    • Part of subcall function 0029AC56: GetProcessHeap.KERNEL32(00000008,0029A6B5,00000000,00000000,?,0029A6B5,?), ref: 0029AC62
                                    • Part of subcall function 0029AC56: HeapAlloc.KERNEL32(00000000,?,0029A6B5,?), ref: 0029AC69
                                    • Part of subcall function 0029AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0029A6B5,?), ref: 0029AC7A
                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0029A8CB
                                  • _memset.LIBCMT ref: 0029A8E0
                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0029A8FF
                                  • GetLengthSid.ADVAPI32(?), ref: 0029A910
                                  • GetAce.ADVAPI32(?,00000000,?), ref: 0029A94D
                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0029A969
                                  • GetLengthSid.ADVAPI32(?), ref: 0029A986
                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0029A995
                                  • HeapAlloc.KERNEL32(00000000), ref: 0029A99C
                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0029A9BD
                                  • CopySid.ADVAPI32(00000000), ref: 0029A9C4
                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0029A9F5
                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0029AA1B
                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0029AA2F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                  • String ID:
                                  • API String ID: 3996160137-0
                                  • Opcode ID: b20f6004bb988f5964bfe1b78edc1705ecb01a6015b1547d52447c7b3a12b614
                                  • Instruction ID: 75296141a15feeebbf4f8ac0d6bfb8987d93a94faa848b2ca79aeb9d16ef223d
                                  • Opcode Fuzzy Hash: b20f6004bb988f5964bfe1b78edc1705ecb01a6015b1547d52447c7b3a12b614
                                  • Instruction Fuzzy Hash: 78515D7191024AAFDF10DF94DD89EEEBBB9FF04300F048129F915AB290DB359A15CBA1
                                  Function 002ACC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: LoadString__swprintf_wprintf
                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                  • API String ID: 2889450990-2391861430
                                  • Opcode ID: 31af5dfcae249349cc08d712e2b038a6bc793ef480ee5b25d03d7a6b3c2cf8be
                                  • Instruction ID: b53f9a620e6dac6d1876da37f26d3fb9c4ad9948ff759acfc7b284834e6d4993
                                  • Opcode Fuzzy Hash: 31af5dfcae249349cc08d712e2b038a6bc793ef480ee5b25d03d7a6b3c2cf8be
                                  • Instruction Fuzzy Hash: E1517B71810119ABCF15FBA0CE46EEEB778AF09304F204165F505721A2EB716FA9DF61
                                  Function 002ACA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: LoadString__swprintf_wprintf
                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                  • API String ID: 2889450990-3420473620
                                  • Opcode ID: fcd4fdb81601286950b210c0194f2dcac67009711c07778346ea6d42c23efaaf
                                  • Instruction ID: e69ea870fca210fec6b59b5e034592224fbaf5074c8a6062001f3fc040c23102
                                  • Opcode Fuzzy Hash: fcd4fdb81601286950b210c0194f2dcac67009711c07778346ea6d42c23efaaf
                                  • Instruction Fuzzy Hash: 8A519E31910209AACF15FBE0CE42EEEB778AF09304F204065F50972092EB756FA9DF61
                                  Function 002C3C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON
                                  Download Yara Rule
                                  APIs
                                  • CharUpperBuffW.USER32(?,?,?,?,?,?,?,002C2BB5,?,?), ref: 002C3C1D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: BuffCharUpper
                                  • String ID: $E1$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                  • API String ID: 3964851224-2468612968
                                  • Opcode ID: 7714cb4241ecb3014cd4a27a719b2813e806705b997280bc0397e3ada329e181
                                  • Instruction ID: 2d8ae711b23435b2a2eb59b5ea53e0efb99217065588ef5034f9f00960d76115
                                  • Opcode Fuzzy Hash: 7714cb4241ecb3014cd4a27a719b2813e806705b997280bc0397e3ada329e181
                                  • Instruction Fuzzy Hash: 8E41507413024A8BCF06EF10D851AEB3769AF16700F11896DFC5A1B192EB709E7ACF20
                                  Function 002A55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 002A55D7
                                  • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 002A5664
                                  • GetMenuItemCount.USER32(00321708), ref: 002A56ED
                                  • DeleteMenu.USER32(00321708,00000005,00000000,000000F5,?,?), ref: 002A577D
                                  • DeleteMenu.USER32(00321708,00000004,00000000), ref: 002A5785
                                  • DeleteMenu.USER32(00321708,00000006,00000000), ref: 002A578D
                                  • DeleteMenu.USER32(00321708,00000003,00000000), ref: 002A5795
                                  • GetMenuItemCount.USER32(00321708), ref: 002A579D
                                  • SetMenuItemInfoW.USER32(00321708,00000004,00000000,00000030), ref: 002A57D3
                                  • GetCursorPos.USER32(?), ref: 002A57DD
                                  • SetForegroundWindow.USER32(00000000), ref: 002A57E6
                                  • TrackPopupMenuEx.USER32(00321708,00000000,?,00000000,00000000,00000000), ref: 002A57F9
                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002A5805
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                  • String ID:
                                  • API String ID: 3993528054-0
                                  • Opcode ID: 299c694fb49fab15d95f7d566a6ce33a84b3b474a59b63d2b740e9fa474f3863
                                  • Instruction ID: c3ce68dff5f8c4b94178549c6b961ebe87bc14862b4ecd85412ff70302ce408b
                                  • Opcode Fuzzy Hash: 299c694fb49fab15d95f7d566a6ce33a84b3b474a59b63d2b740e9fa474f3863
                                  • Instruction Fuzzy Hash: FE712570660A26BFEB209F54DC89FABBF69FF42764F640205F6146A1D1CBB05C60DB50
                                  Function 0029A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 0029A1DC
                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0029A211
                                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0029A22D
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0029A249
                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0029A273
                                  • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0029A29B
                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0029A2A6
                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0029A2AB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                  • API String ID: 1687751970-22481851
                                  • Opcode ID: 1cc7702b4731e0e9f990b3254940f7ad539690656f4703fb62c3810cc35670ea
                                  • Instruction ID: 681d9acaa02cb5a97a958a26f67daefd2d83d537e447fb7f7c6c55ecc63ef69e
                                  • Opcode Fuzzy Hash: 1cc7702b4731e0e9f990b3254940f7ad539690656f4703fb62c3810cc35670ea
                                  • Instruction Fuzzy Hash: 9341E776C20229AADF15EFA4DC85DEEB778FF08300F044169E805A71A1EB709E65CF91
                                  Function 002A67E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __swprintf.LIBCMT ref: 002A67FD
                                  • __swprintf.LIBCMT ref: 002A680A
                                    • Part of subcall function 0028172B: __woutput_l.LIBCMT ref: 00281784
                                  • FindResourceW.KERNEL32(?,?,0000000E), ref: 002A6834
                                  • LoadResource.KERNEL32(?,00000000), ref: 002A6840
                                  • LockResource.KERNEL32(00000000), ref: 002A684D
                                  • FindResourceW.KERNEL32(?,?,00000003), ref: 002A686D
                                  • LoadResource.KERNEL32(?,00000000), ref: 002A687F
                                  • SizeofResource.KERNEL32(?,00000000), ref: 002A688E
                                  • LockResource.KERNEL32(?), ref: 002A689A
                                  • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 002A68F9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                  • String ID: 51
                                  • API String ID: 1433390588-400446992
                                  • Opcode ID: e827b3ce0db51619b2f44b10f695d9ef08e9e0aaa610429305960eec68a88747
                                  • Instruction ID: 3a6c932e182a42538bc297cafeaac9ce31444e21f984abd112324c172715c97e
                                  • Opcode Fuzzy Hash: e827b3ce0db51619b2f44b10f695d9ef08e9e0aaa610429305960eec68a88747
                                  • Instruction Fuzzy Hash: 7131A07191125AAFDB119FA0ED88ABBBBACEF09340F048425F906D6150EB38D925DB70
                                  Function 002A25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,002D36F4,00000010,?,Bad directive syntax error,002FDC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 002A25D6
                                  • LoadStringW.USER32(00000000,?,002D36F4,00000010), ref: 002A25DD
                                  • _wprintf.LIBCMT ref: 002A2610
                                  • __swprintf.LIBCMT ref: 002A2632
                                  • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 002A26A1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                  • API String ID: 1080873982-4153970271
                                  • Opcode ID: 75850f04cd7486975a41d24d7098291fd172e1018abdd5ae6e601390e770a8b9
                                  • Instruction ID: ea19a9c3e04cb2b2762440c4e7e1a2a8e75d610198cbacd6d93a403e65f133ec
                                  • Opcode Fuzzy Hash: 75850f04cd7486975a41d24d7098291fd172e1018abdd5ae6e601390e770a8b9
                                  • Instruction Fuzzy Hash: 81214B3182021AEFCF16BF90CC4AEEE7B39BF19704F000455F515660A2EA71A6B9DF50
                                  Function 002A7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 002A7B42
                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 002A7B58
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002A7B69
                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 002A7B7B
                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 002A7B8C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: SendString
                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                  • API String ID: 890592661-1007645807
                                  • Opcode ID: a36bfafd2cb308dc36fa3bebcd9106562abf4c359df5381ac51dfe58429ac69d
                                  • Instruction ID: 90e84c1040d4cfcd660ddd8cdf4340559798c295d2e7c00f8069bb94e124fb26
                                  • Opcode Fuzzy Hash: a36bfafd2cb308dc36fa3bebcd9106562abf4c359df5381ac51dfe58429ac69d
                                  • Instruction Fuzzy Hash: 1E11C4E1A6026979D725B761CC4ADFFBE7CEB96B14F000919B411A60C1DEA00A94CAB0
                                  Function 002A778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • timeGetTime.WINMM ref: 002A7794
                                    • Part of subcall function 0027DC38: timeGetTime.WINMM(?,75A8B400,002D58AB), ref: 0027DC3C
                                  • Sleep.KERNEL32(0000000A), ref: 002A77C0
                                  • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 002A77E4
                                  • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 002A7806
                                  • SetActiveWindow.USER32 ref: 002A7825
                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 002A7833
                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 002A7852
                                  • Sleep.KERNEL32(000000FA), ref: 002A785D
                                  • IsWindow.USER32 ref: 002A7869
                                  • EndDialog.USER32(00000000), ref: 002A787A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                  • String ID: BUTTON
                                  • API String ID: 1194449130-3405671355
                                  • Opcode ID: 94c682fd6644b323e5a5c244b8dedefa948e8416ad64c5a021c67c4e4a8adc02
                                  • Instruction ID: e88bd59819c4c9e0c7973447351ea93d9a60e0852e5226d0da465efc79e574c8
                                  • Opcode Fuzzy Hash: 94c682fd6644b323e5a5c244b8dedefa948e8416ad64c5a021c67c4e4a8adc02
                                  • Instruction Fuzzy Hash: 37213E74254245AFE7229F20FCCDA667F6DFB46348F400028F6468A162CF795D21DB29
                                  Function 002B02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0026936C: __swprintf.LIBCMT ref: 002693AB
                                    • Part of subcall function 0026936C: __itow.LIBCMT ref: 002693DF
                                  • CoInitialize.OLE32(00000000), ref: 002B034B
                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002B03DE
                                  • SHGetDesktopFolder.SHELL32(?), ref: 002B03F2
                                  • CoCreateInstance.OLE32(002EDA8C,00000000,00000001,00313CF8,?), ref: 002B043E
                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002B04AD
                                  • CoTaskMemFree.OLE32(?,?), ref: 002B0505
                                  • _memset.LIBCMT ref: 002B0542
                                  • SHBrowseForFolderW.SHELL32(?), ref: 002B057E
                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002B05A1
                                  • CoTaskMemFree.OLE32(00000000), ref: 002B05A8
                                  • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 002B05DF
                                  • CoUninitialize.OLE32(00000001,00000000), ref: 002B05E1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                  • String ID:
                                  • API String ID: 1246142700-0
                                  • Opcode ID: 9cd02c9838ab150502ea1fe08000e3a27e1e9647f3576513b288d6f263da2ae8
                                  • Instruction ID: 977c4b3f27c6911c7e4da9e1001dc1965c6bcee65edfe9605ec7f2816dfc8dbf
                                  • Opcode Fuzzy Hash: 9cd02c9838ab150502ea1fe08000e3a27e1e9647f3576513b288d6f263da2ae8
                                  • Instruction Fuzzy Hash: A1B10B74A10109AFDB15DFA4C888DAEBBB9FF48344B1484A9F806EB251DB70ED91CF50
                                  Function 002A2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?), ref: 002A2ED6
                                  • SetKeyboardState.USER32(?), ref: 002A2F41
                                  • GetAsyncKeyState.USER32(000000A0), ref: 002A2F61
                                  • GetKeyState.USER32(000000A0), ref: 002A2F78
                                  • GetAsyncKeyState.USER32(000000A1), ref: 002A2FA7
                                  • GetKeyState.USER32(000000A1), ref: 002A2FB8
                                  • GetAsyncKeyState.USER32(00000011), ref: 002A2FE4
                                  • GetKeyState.USER32(00000011), ref: 002A2FF2
                                  • GetAsyncKeyState.USER32(00000012), ref: 002A301B
                                  • GetKeyState.USER32(00000012), ref: 002A3029
                                  • GetAsyncKeyState.USER32(0000005B), ref: 002A3052
                                  • GetKeyState.USER32(0000005B), ref: 002A3060
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: State$Async$Keyboard
                                  • String ID:
                                  • API String ID: 541375521-0
                                  • Opcode ID: d6dbe712d84b4408e669c68345fb265d3950361cfe64af06ace7f4fd7e7140cc
                                  • Instruction ID: a4d1b2834e83664dd624c50be955ebb4aca656f5414026e26e145f86df0be4fa
                                  • Opcode Fuzzy Hash: d6dbe712d84b4408e669c68345fb265d3950361cfe64af06ace7f4fd7e7140cc
                                  • Instruction Fuzzy Hash: 555108209147856BFB35EFB889407AABBF45F13340F088589D5C25A1C2DE94AB9CCB61
                                  Function 0029ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,00000001), ref: 0029ED1E
                                  • GetWindowRect.USER32(00000000,?), ref: 0029ED30
                                  • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0029ED8E
                                  • GetDlgItem.USER32(?,00000002), ref: 0029ED99
                                  • GetWindowRect.USER32(00000000,?), ref: 0029EDAB
                                  • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0029EE01
                                  • GetDlgItem.USER32(?,000003E9), ref: 0029EE0F
                                  • GetWindowRect.USER32(00000000,?), ref: 0029EE20
                                  • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0029EE63
                                  • GetDlgItem.USER32(?,000003EA), ref: 0029EE71
                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0029EE8E
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0029EE9B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$ItemMoveRect$Invalidate
                                  • String ID:
                                  • API String ID: 3096461208-0
                                  • Opcode ID: bafedb2c902177bd0e9aaffa11a45ce5bf3410948282d8847bba53b03df3944c
                                  • Instruction ID: d41866520ec24337c15f684e5e37c48c46a89fea2d9d0c5ea28c29137a8707f4
                                  • Opcode Fuzzy Hash: bafedb2c902177bd0e9aaffa11a45ce5bf3410948282d8847bba53b03df3944c
                                  • Instruction Fuzzy Hash: 8D5100B1B50205AFDF18CF69DD89AAEBBBAFB88711F158129F919D7290D7709D008B10
                                  Function 0027B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0027B759,?,00000000,?,?,?,?,0027B72B,00000000,?), ref: 0027BA58
                                  • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0027B72B), ref: 0027B7F6
                                  • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0027B72B,00000000,?,?,0027B2EF,?,?), ref: 0027B88D
                                  • DestroyAcceleratorTable.USER32(00000000), ref: 002DD8A6
                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0027B72B,00000000,?,?,0027B2EF,?,?), ref: 002DD8D7
                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0027B72B,00000000,?,?,0027B2EF,?,?), ref: 002DD8EE
                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0027B72B,00000000,?,?,0027B2EF,?,?), ref: 002DD90A
                                  • DeleteObject.GDI32(00000000), ref: 002DD91C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                  • String ID:
                                  • API String ID: 641708696-0
                                  • Opcode ID: d7bbb6cd9b080b744129fecc13a45a167560db9771dafa7473c28f84e0fde7b0
                                  • Instruction ID: aa41cb218634d7ea733f54b8033f27db5c6ae45e97879a1542b4a06f2109d38e
                                  • Opcode Fuzzy Hash: d7bbb6cd9b080b744129fecc13a45a167560db9771dafa7473c28f84e0fde7b0
                                  • Instruction Fuzzy Hash: 0961C131521A01CFDB379F14E988B69B7B9FF60312F14852DE44A8AA70C770ACA1DF40
                                  Function 0027B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027B526: GetWindowLongW.USER32(?,000000EB), ref: 0027B537
                                  • GetSysColor.USER32(0000000F), ref: 0027B438
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ColorLongWindow
                                  • String ID:
                                  • API String ID: 259745315-0
                                  • Opcode ID: fd7c36e1e7cfc68ca142738d915d6df6200c7362315da2417c526ffead074aae
                                  • Instruction ID: 9fa38e0535638c6c7dcc18103c977aa895b7d99e6dcd1d88b763f865217c6521
                                  • Opcode Fuzzy Hash: fd7c36e1e7cfc68ca142738d915d6df6200c7362315da2417c526ffead074aae
                                  • Instruction Fuzzy Hash: AD41F530050180AFDF225F28ECA9BB93B66EB05731F188261FD698E1E6C7708C51DB21
                                  Function 002A690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                  • String ID:
                                  • API String ID: 136442275-0
                                  • Opcode ID: 51ea73aa6244f7921841da5e2b0560e89ba3128258e0cc86abd36cbdc173e95f
                                  • Instruction ID: 28e0465ee64eea4cf1b6f8f587af3edff61c2aacdee25d04fbc11f5efbcba984
                                  • Opcode Fuzzy Hash: 51ea73aa6244f7921841da5e2b0560e89ba3128258e0cc86abd36cbdc173e95f
                                  • Instruction Fuzzy Hash: 4241FF7B85611CAFCB61EB94CC86DDB73BDEB44300F0441A6B659A2091EB70A7F98F50
                                  Function 002AD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                  Download Yara Rule
                                  APIs
                                  • CharLowerBuffW.USER32(002FDC00,002FDC00,002FDC00), ref: 002AD7CE
                                  • GetDriveTypeW.KERNEL32(?,00313A70,00000061), ref: 002AD898
                                  • _wcscpy.LIBCMT ref: 002AD8C2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: BuffCharDriveLowerType_wcscpy
                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                  • API String ID: 2820617543-1000479233
                                  • Opcode ID: 484c003d5c75173e9411371c87c31c39e50e59ef4fa5dc756501b31fbaf98745
                                  • Instruction ID: 1359c83960b558814ca0d5dbd174b1829b13edc88ec9b0403f431616831b6e32
                                  • Opcode Fuzzy Hash: 484c003d5c75173e9411371c87c31c39e50e59ef4fa5dc756501b31fbaf98745
                                  • Instruction Fuzzy Hash: 1C51C2351243019FC704EF14C881AAFB7A9EF85714F20882EF59A576A2DB71DD65CE42
                                  Function 0026936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                  Download Yara Rule
                                  APIs
                                  • __swprintf.LIBCMT ref: 002693AB
                                  • __itow.LIBCMT ref: 002693DF
                                    • Part of subcall function 00281557: _xtow@16.LIBCMT ref: 00281578
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __itow__swprintf_xtow@16
                                  • String ID: %.15g$0x%p$False$True
                                  • API String ID: 1502193981-2263619337
                                  • Opcode ID: 7ce122a1efd3fffa6f4ab04ff34a4967844c2725ce09446771d8f7f89238b3eb
                                  • Instruction ID: 1c7914233884992ae44105cd11b0a92eca5dff58705207bffca68df80ea4f7e7
                                  • Opcode Fuzzy Hash: 7ce122a1efd3fffa6f4ab04ff34a4967844c2725ce09446771d8f7f89238b3eb
                                  • Instruction Fuzzy Hash: 0741B472535205ABDB24FF74D942EAA77E8EB48300F2044ABE14AD73C1EA719DB1CB50
                                  Function 002CA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 002CA259
                                  • CreateCompatibleDC.GDI32(00000000), ref: 002CA260
                                  • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 002CA273
                                  • SelectObject.GDI32(00000000,00000000), ref: 002CA27B
                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 002CA286
                                  • DeleteDC.GDI32(00000000), ref: 002CA28F
                                  • GetWindowLongW.USER32(?,000000EC), ref: 002CA299
                                  • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 002CA2AD
                                  • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 002CA2B9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                  • String ID: static
                                  • API String ID: 2559357485-2160076837
                                  • Opcode ID: f6d197542dd43eb14ce36b1f047166ca1bf17768226d1a892c833f17f78c327e
                                  • Instruction ID: 2ccedb7673d50971f2f1b35d6eb6974dd2a8429a7d19fa54c251f9ba8b92d8b8
                                  • Opcode Fuzzy Hash: f6d197542dd43eb14ce36b1f047166ca1bf17768226d1a892c833f17f78c327e
                                  • Instruction Fuzzy Hash: 5E319E31151129AFDF215FA4EC49FEA3B6DFF09364F110318FA19AA0A0C731D821DBA5
                                  Function 002A6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                  • String ID: 0.0.0.0
                                  • API String ID: 2620052-3771769585
                                  • Opcode ID: efd995932a3ebea1e70d67362b826d1e406779fcfdd35c2e7e77852f7bbaa268
                                  • Instruction ID: 58b5b45013c637b48a411d06018033d3e2b6a93018ff14cde2e87fe5a9c56ada
                                  • Opcode Fuzzy Hash: efd995932a3ebea1e70d67362b826d1e406779fcfdd35c2e7e77852f7bbaa268
                                  • Instruction Fuzzy Hash: FA110672524215AFDB24AB70EC8EEDAB7ACEF45710F040065F106EA081EF70EAA58B50
                                  Function 0028500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 00285047
                                    • Part of subcall function 00287C0E: __getptd_noexit.LIBCMT ref: 00287C0E
                                  • __gmtime64_s.LIBCMT ref: 002850E0
                                  • __gmtime64_s.LIBCMT ref: 00285116
                                  • __gmtime64_s.LIBCMT ref: 00285133
                                  • __allrem.LIBCMT ref: 00285189
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002851A5
                                  • __allrem.LIBCMT ref: 002851BC
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002851DA
                                  • __allrem.LIBCMT ref: 002851F1
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0028520F
                                  • __invoke_watson.LIBCMT ref: 00285280
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                  • String ID:
                                  • API String ID: 384356119-0
                                  • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                  • Instruction ID: 7ee4b0cf73d8050e3b4f409254afcc66c0502ace80cb416bd107cab36009ad8d
                                  • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                  • Instruction Fuzzy Hash: 1C71DC79A12F27ABEB14BE79CC417AA73A8AF04764F144129F914D72C1EB70DD608BD0
                                  Function 002A4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 002A4DF8
                                  • GetMenuItemInfoW.USER32(00321708,000000FF,00000000,00000030), ref: 002A4E59
                                  • SetMenuItemInfoW.USER32(00321708,00000004,00000000,00000030), ref: 002A4E8F
                                  • Sleep.KERNEL32(000001F4), ref: 002A4EA1
                                  • GetMenuItemCount.USER32(?), ref: 002A4EE5
                                  • GetMenuItemID.USER32(?,00000000), ref: 002A4F01
                                  • GetMenuItemID.USER32(?,-00000001), ref: 002A4F2B
                                  • GetMenuItemID.USER32(?,?), ref: 002A4F70
                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002A4FB6
                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002A4FCA
                                  • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002A4FEB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                  • String ID:
                                  • API String ID: 4176008265-0
                                  • Opcode ID: a3865b6cdd00fda1199105755f06e00301d976cbb798b781c2903d9c0a0cb18e
                                  • Instruction ID: 9274019dc40e5d624ce22adedf80a87c7f55a252ff77a0b888f7f4293a027fd2
                                  • Opcode Fuzzy Hash: a3865b6cdd00fda1199105755f06e00301d976cbb798b781c2903d9c0a0cb18e
                                  • Instruction Fuzzy Hash: FB61B2B0920289AFDF21EF68D988DAE7BB8FB86304F140159F501D7251DBB1ED25CB20
                                  Function 002C9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002C9C98
                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002C9C9B
                                  • GetWindowLongW.USER32(?,000000F0), ref: 002C9CBF
                                  • _memset.LIBCMT ref: 002C9CD0
                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002C9CE2
                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002C9D5A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend$LongWindow_memset
                                  • String ID:
                                  • API String ID: 830647256-0
                                  • Opcode ID: 790e7d819cec53a28a1ed5897c6f3db0cde3056598bce92c2b7f1cf80392f762
                                  • Instruction ID: 7cf51caf2f0fefd94eca6e363875e19a4cc0e5d42ca5894fa7a397d3bd89b71e
                                  • Opcode Fuzzy Hash: 790e7d819cec53a28a1ed5897c6f3db0cde3056598bce92c2b7f1cf80392f762
                                  • Instruction Fuzzy Hash: 0E618B75910208AFDB21DFA8CC85FEEB7B8EB09700F10025AFA05A7291C770AD92DB50
                                  Function 002994E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 002994FE
                                  • SafeArrayAllocData.OLEAUT32(?), ref: 00299549
                                  • VariantInit.OLEAUT32(?), ref: 0029955B
                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 0029957B
                                  • VariantCopy.OLEAUT32(?,?), ref: 002995BE
                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 002995D2
                                  • VariantClear.OLEAUT32(?), ref: 002995E7
                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 002995F4
                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002995FD
                                  • VariantClear.OLEAUT32(?), ref: 0029960F
                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0029961A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                  • String ID:
                                  • API String ID: 2706829360-0
                                  • Opcode ID: 3776220155b52ebfbcd433c51c8f7b4f90dd7bd96b2721c47ab99a80adf8a3c0
                                  • Instruction ID: 07743487dbaff1dccac76616d6ba74cb3951d5c483fb29c055e8af2836d49679
                                  • Opcode Fuzzy Hash: 3776220155b52ebfbcd433c51c8f7b4f90dd7bd96b2721c47ab99a80adf8a3c0
                                  • Instruction Fuzzy Hash: 4E415E31910219EFDF01DFA8D8889DEBB79FF18354F008069E515A7251DB31EA95CFA0
                                  Function 002BBB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Variant$ClearInit$_memset
                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?1$|?1
                                  • API String ID: 2862541840-2363308316
                                  • Opcode ID: 09d27d654c7340967812e00aac33847449956c93a6c72d1ee2db639c8e035020
                                  • Instruction ID: 54ec3df7412603e90a86c4f69849032307d90bca938be261dfeff90337ec260d
                                  • Opcode Fuzzy Hash: 09d27d654c7340967812e00aac33847449956c93a6c72d1ee2db639c8e035020
                                  • Instruction Fuzzy Hash: 5D91AF71A10206AFDF26CFA5C844FEEBBB8EF45750F10815AF515AB180CBB49954CFA0
                                  Function 002BADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0026936C: __swprintf.LIBCMT ref: 002693AB
                                    • Part of subcall function 0026936C: __itow.LIBCMT ref: 002693DF
                                  • CoInitialize.OLE32 ref: 002BADF6
                                  • CoUninitialize.OLE32 ref: 002BAE01
                                  • CoCreateInstance.OLE32(?,00000000,00000017,002ED8FC,?), ref: 002BAE61
                                  • IIDFromString.OLE32(?,?), ref: 002BAED4
                                  • VariantInit.OLEAUT32(?), ref: 002BAF6E
                                  • VariantClear.OLEAUT32(?), ref: 002BAFCF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                  • API String ID: 834269672-1287834457
                                  • Opcode ID: c85f5749fc228be91478da0d09b3df6d9a8f796277107469010d65379886ae1b
                                  • Instruction ID: 09816a1310c630cb57c9ad574de1d086d65d5458c372a270e2b2093a0c2c8133
                                  • Opcode Fuzzy Hash: c85f5749fc228be91478da0d09b3df6d9a8f796277107469010d65379886ae1b
                                  • Instruction Fuzzy Hash: D961CE71228302AFD711DF54C888BAEBBE8AF48794F10441DF9859B291C771EDA4CB93
                                  Function 002B8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAStartup.WSOCK32(00000101,?), ref: 002B8168
                                  • inet_addr.WSOCK32(?,?,?), ref: 002B81AD
                                  • gethostbyname.WSOCK32(?), ref: 002B81B9
                                  • IcmpCreateFile.IPHLPAPI ref: 002B81C7
                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002B8237
                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002B824D
                                  • IcmpCloseHandle.IPHLPAPI(00000000), ref: 002B82C2
                                  • WSACleanup.WSOCK32 ref: 002B82C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                  • String ID: Ping
                                  • API String ID: 1028309954-2246546115
                                  • Opcode ID: c26af46a651b642bced0de917ea1be9ff4283ccae60c8815f8da8de6a9f7c16f
                                  • Instruction ID: 63de6be94a1ae550af4bc3d05666ca14473324bd3cd9fae6c0141da56aab73a1
                                  • Opcode Fuzzy Hash: c26af46a651b642bced0de917ea1be9ff4283ccae60c8815f8da8de6a9f7c16f
                                  • Instruction Fuzzy Hash: C3519F316246419FDB11AF24DC89BAAB7E8FF48750F148869FA5DDB2A1DB70E810CF41
                                  Function 002AE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 002AE396
                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 002AE40C
                                  • GetLastError.KERNEL32 ref: 002AE416
                                  • SetErrorMode.KERNEL32(00000000,READY), ref: 002AE483
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Error$Mode$DiskFreeLastSpace
                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                  • API String ID: 4194297153-14809454
                                  • Opcode ID: 7a6c230b49231b570fdaeed127d041530f57b33435602ba8337c3d8de9ca4543
                                  • Instruction ID: 45f1fec709d6f77ac9d58b0a04d93f24f6f5e2bf47838eafdfb94f36093c265c
                                  • Opcode Fuzzy Hash: 7a6c230b49231b570fdaeed127d041530f57b33435602ba8337c3d8de9ca4543
                                  • Instruction Fuzzy Hash: E031A475A1020A9FDF01EF68D889AFDBBB8EF0E300F158055E505EB291DF709A52CB91
                                  Function 0029B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0029B98C
                                  • GetDlgCtrlID.USER32 ref: 0029B997
                                  • GetParent.USER32 ref: 0029B9B3
                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 0029B9B6
                                  • GetDlgCtrlID.USER32(?), ref: 0029B9BF
                                  • GetParent.USER32(?), ref: 0029B9DB
                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 0029B9DE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend$CtrlParent
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 1383977212-1403004172
                                  • Opcode ID: d6574e627502db2a45dad96480850132fbe695516e509a67b8a95fbee0bcef06
                                  • Instruction ID: 31bc6d9554f3c80ed3111d8e9b046a08eca07e136f505a75beb467dd49baa32e
                                  • Opcode Fuzzy Hash: d6574e627502db2a45dad96480850132fbe695516e509a67b8a95fbee0bcef06
                                  • Instruction Fuzzy Hash: AF21A1B4950108AFDF05AFA4EC86EFEBB79EF49300B100119F661972A1DBB558659F20
                                  Function 0029B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0029BA73
                                  • GetDlgCtrlID.USER32 ref: 0029BA7E
                                  • GetParent.USER32 ref: 0029BA9A
                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 0029BA9D
                                  • GetDlgCtrlID.USER32(?), ref: 0029BAA6
                                  • GetParent.USER32(?), ref: 0029BAC2
                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 0029BAC5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend$CtrlParent
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 1383977212-1403004172
                                  • Opcode ID: 15b90e72c9602c19c4a2cd0814a53747d0c3709074dac7c113135428f792dfb6
                                  • Instruction ID: 7e90cc4c54fe43b6743b61626f8b4b9afb6d0009278777bb2b17274946e0a70f
                                  • Opcode Fuzzy Hash: 15b90e72c9602c19c4a2cd0814a53747d0c3709074dac7c113135428f792dfb6
                                  • Instruction Fuzzy Hash: 6A21C2B4A50108BFDF05AFA4EC85EFEBB79EF49300F100019F551A7291DBB959699F20
                                  Function 0029BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32 ref: 0029BAE3
                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 0029BAF8
                                  • _wcscmp.LIBCMT ref: 0029BB0A
                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0029BB85
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ClassMessageNameParentSend_wcscmp
                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                  • API String ID: 1704125052-3381328864
                                  • Opcode ID: c29c0c402a7571feae0ae9108609f4b521ed8620159f06e057386b4c0de8fee6
                                  • Instruction ID: 8e8d9f10a7fa9eb07cfa005e508171e790958a5e58bc9953cfc1b543044694c3
                                  • Opcode Fuzzy Hash: c29c0c402a7571feae0ae9108609f4b521ed8620159f06e057386b4c0de8fee6
                                  • Instruction Fuzzy Hash: 3111E77A668307F9FE266A25FC66DE7379C9F25728B200011FE04E44D5EFA158714614
                                  Function 002BB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VariantInit.OLEAUT32(?), ref: 002BB2D5
                                  • CoInitialize.OLE32(00000000), ref: 002BB302
                                  • CoUninitialize.OLE32 ref: 002BB30C
                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 002BB40C
                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 002BB539
                                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 002BB56D
                                  • CoGetObject.OLE32(?,00000000,002ED91C,?), ref: 002BB590
                                  • SetErrorMode.KERNEL32(00000000), ref: 002BB5A3
                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 002BB623
                                  • VariantClear.OLEAUT32(002ED91C), ref: 002BB633
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                  • String ID:
                                  • API String ID: 2395222682-0
                                  • Opcode ID: 625905096f05cc32133a15e23ad7a45f975191f8b2302db6c61e54774c26bc14
                                  • Instruction ID: ff85fe42689f7a6ba9643752dbf64bc1a8f7853009e21211a9984c68fbe659fb
                                  • Opcode Fuzzy Hash: 625905096f05cc32133a15e23ad7a45f975191f8b2302db6c61e54774c26bc14
                                  • Instruction Fuzzy Hash: 07C142B0618301AFC701DF68C88496BB7E9FF88388F40495DF98A9B251DBB1ED55CB52
                                  Function 0028ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                  Download Yara Rule
                                  APIs
                                  • __lock.LIBCMT ref: 0028ACC1
                                    • Part of subcall function 00287CF4: __mtinitlocknum.LIBCMT ref: 00287D06
                                    • Part of subcall function 00287CF4: EnterCriticalSection.KERNEL32(00000000,?,00287ADD,0000000D), ref: 00287D1F
                                  • __calloc_crt.LIBCMT ref: 0028ACD2
                                    • Part of subcall function 00286986: __calloc_impl.LIBCMT ref: 00286995
                                    • Part of subcall function 00286986: Sleep.KERNEL32(00000000,000003BC,0027F507,?,0000000E), ref: 002869AC
                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 0028ACED
                                  • GetStartupInfoW.KERNEL32(?,00316E28,00000064,00285E91,00316C70,00000014), ref: 0028AD46
                                  • __calloc_crt.LIBCMT ref: 0028AD91
                                  • GetFileType.KERNEL32(00000001), ref: 0028ADD8
                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0028AE11
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                  • String ID:
                                  • API String ID: 1426640281-0
                                  • Opcode ID: 2155a4a3852ac94f6c88eb6dc71f331aa096e1ab59d9a19a60a09a5e6c23c518
                                  • Instruction ID: fca0f3e6a8f00492dea27cdb3f8e721267a3b9860737fe5c9edb54f6338293b5
                                  • Opcode Fuzzy Hash: 2155a4a3852ac94f6c88eb6dc71f331aa096e1ab59d9a19a60a09a5e6c23c518
                                  • Instruction Fuzzy Hash: 888107749233428FEB24DF68C8845ADBBF4AF05320B24466ED4A6AB3D1CB359853CF51
                                  Function 002A4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 002A4047
                                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?,002A30A5,?,00000001), ref: 002A405B
                                  • GetWindowThreadProcessId.USER32(00000000), ref: 002A4062
                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002A30A5,?,00000001), ref: 002A4071
                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 002A4083
                                  • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,002A30A5,?,00000001), ref: 002A409C
                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002A30A5,?,00000001), ref: 002A40AE
                                  • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,002A30A5,?,00000001), ref: 002A40F3
                                  • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,002A30A5,?,00000001), ref: 002A4108
                                  • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,002A30A5,?,00000001), ref: 002A4113
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                  • String ID:
                                  • API String ID: 2156557900-0
                                  • Opcode ID: 9a891f3689fac05ec4546056902fc77deeb15b9610f66eed3eee0e1e456a4f0d
                                  • Instruction ID: 569f5a76813bcb92e7c3eadbc2eeee397492a671dbdce8054a52e329ef41f44e
                                  • Opcode Fuzzy Hash: 9a891f3689fac05ec4546056902fc77deeb15b9610f66eed3eee0e1e456a4f0d
                                  • Instruction Fuzzy Hash: 4231E971510215AFDB22EF54EC89B6977ADFBA1311F10801EF908EA254DFF9ED418B60
                                  Function 00263093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                  Download Yara Rule
                                  APIs
                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002630DC
                                  • CoUninitialize.OLE32(?,00000000), ref: 00263181
                                  • UnregisterHotKey.USER32(?), ref: 002632A9
                                  • DestroyWindow.USER32(?), ref: 002D5079
                                  • FreeLibrary.KERNEL32(?), ref: 002D50F8
                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 002D5125
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                  • String ID: close all
                                  • API String ID: 469580280-3243417748
                                  • Opcode ID: 2523ca464d425a6693dc7faf5d4fd0227df681125ff211dd6f6e8b584795a1fc
                                  • Instruction ID: dd085272ff166ab77f2eeb597c0637fef208389f948c37686d5ef00d43f20f3b
                                  • Opcode Fuzzy Hash: 2523ca464d425a6693dc7faf5d4fd0227df681125ff211dd6f6e8b584795a1fc
                                  • Instruction Fuzzy Hash: EE913C34620212CFC715EF14D895B68F3A4FF15305F5481A9E50AA7262DF70AEBACF50
                                  Function 0027CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowLongW.USER32(?,000000EB), ref: 0027CC15
                                    • Part of subcall function 0027CCCD: GetClientRect.USER32(?,?), ref: 0027CCF6
                                    • Part of subcall function 0027CCCD: GetWindowRect.USER32(?,?), ref: 0027CD37
                                    • Part of subcall function 0027CCCD: ScreenToClient.USER32(?,?), ref: 0027CD5F
                                  • GetDC.USER32 ref: 002DD137
                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 002DD14A
                                  • SelectObject.GDI32(00000000,00000000), ref: 002DD158
                                  • SelectObject.GDI32(00000000,00000000), ref: 002DD16D
                                  • ReleaseDC.USER32(?,00000000), ref: 002DD175
                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002DD200
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                  • String ID: U
                                  • API String ID: 4009187628-3372436214
                                  • Opcode ID: 8894b2ef342ee42261ed49d1a9c2b2718a0db067b0880c645128df912a91ecd0
                                  • Instruction ID: 0d4b73ee6e0ba4050c5c26d9188c836ef6a3a15c3abd0bb86f9dcc402d954073
                                  • Opcode Fuzzy Hash: 8894b2ef342ee42261ed49d1a9c2b2718a0db067b0880c645128df912a91ecd0
                                  • Instruction Fuzzy Hash: 3A71D030420606DFCF229F64CC85AAA7BB5FF59314F24826EED595A2A6C731CC61DF60
                                  Function 002CECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027B34E: GetWindowLongW.USER32(?,000000EB), ref: 0027B35F
                                    • Part of subcall function 0027B63C: GetCursorPos.USER32(000000FF), ref: 0027B64F
                                    • Part of subcall function 0027B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0027B66C
                                    • Part of subcall function 0027B63C: GetAsyncKeyState.USER32(00000001), ref: 0027B691
                                    • Part of subcall function 0027B63C: GetAsyncKeyState.USER32(00000002), ref: 0027B69F
                                  • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 002CED3C
                                  • ImageList_EndDrag.COMCTL32 ref: 002CED42
                                  • ReleaseCapture.USER32 ref: 002CED48
                                  • SetWindowTextW.USER32(?,00000000), ref: 002CEDF0
                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 002CEE03
                                  • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 002CEEDC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                  • API String ID: 1924731296-2107944366
                                  • Opcode ID: 65e388f470a42235a9eba5cf0cd00b06b8b9f5fd6f1376413f2c8aef60e62eb4
                                  • Instruction ID: d5ca6245f3e015f3c963e7b474611c99ed2bbccfda79d35f339e9b98edeea8ce
                                  • Opcode Fuzzy Hash: 65e388f470a42235a9eba5cf0cd00b06b8b9f5fd6f1376413f2c8aef60e62eb4
                                  • Instruction Fuzzy Hash: 5451B930214304AFD711EF20DC8AFAA77E8EB98714F104A2DF995972E1CB709968CF52
                                  Function 002B45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002B45FF
                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 002B462B
                                  • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 002B466D
                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 002B4682
                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002B468F
                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 002B46BF
                                  • InternetCloseHandle.WININET(00000000), ref: 002B4706
                                    • Part of subcall function 002B5052: GetLastError.KERNEL32(?,?,002B43CC,00000000,00000000,00000001), ref: 002B5067
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                  • String ID:
                                  • API String ID: 1241431887-3916222277
                                  • Opcode ID: 3ba52759cef9ce4d1a23ed9f1e3c07339b3fb7014076f43efe91c2370497260c
                                  • Instruction ID: 681682bb59a257d38bc8086f7c2808775a77ddcbd7ff9230d73bc4b1ccc3f544
                                  • Opcode Fuzzy Hash: 3ba52759cef9ce4d1a23ed9f1e3c07339b3fb7014076f43efe91c2370497260c
                                  • Instruction Fuzzy Hash: 0D417CB1561219BFEB11AF50DCC9FFA77ACEF09384F004116FA059A182DBB099548BA4
                                  Function 002BB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,002FDC00), ref: 002BB715
                                  • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,002FDC00), ref: 002BB749
                                  • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 002BB8C1
                                  • SysFreeString.OLEAUT32(?), ref: 002BB8EB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                  • String ID:
                                  • API String ID: 560350794-0
                                  • Opcode ID: d6ced67a6941c3392320705215bd09b01bbdb1f97cccb045260407423f6ac26f
                                  • Instruction ID: e1de350b6fc239eb121052642ef6bbdca25e2862f7887db5022f676085d9d133
                                  • Opcode Fuzzy Hash: d6ced67a6941c3392320705215bd09b01bbdb1f97cccb045260407423f6ac26f
                                  • Instruction Fuzzy Hash: AFF12775A10209AFCF05DF94C888EEEB7B9FF49351F108499F905AB250DBB1AE51CB90
                                  Function 002C24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 002C24F5
                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002C2688
                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002C26AC
                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002C26EC
                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002C270E
                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002C286F
                                  • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 002C28A1
                                  • CloseHandle.KERNEL32(?), ref: 002C28D0
                                  • CloseHandle.KERNEL32(?), ref: 002C2947
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                  • String ID:
                                  • API String ID: 4090791747-0
                                  • Opcode ID: 43cb4520669b991fb4f103b7fd8905587c0ba130f83c181bb4e9ab938301618d
                                  • Instruction ID: 3fe1c97f8ccd9b7c4d71f3d673e2a37076910dcdcc10b6d702b10eca3ab8f45c
                                  • Opcode Fuzzy Hash: 43cb4520669b991fb4f103b7fd8905587c0ba130f83c181bb4e9ab938301618d
                                  • Instruction Fuzzy Hash: C7D18D35624201DFCB14EF24C891B6ABBE5AF85310F14865DF8899B2A2DF31DC69CF52
                                  Function 002CB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                  Download Yara Rule
                                  APIs
                                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002CB3F4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: InvalidateRect
                                  • String ID:
                                  • API String ID: 634782764-0
                                  • Opcode ID: e1ac451ce89556e803a14825d354c9f381667050d7a2b47b594947d4ac12393b
                                  • Instruction ID: c6fab5bbb7978545b5d72c735b91f5b512a7965753076f174d7dca72e0ae6567
                                  • Opcode Fuzzy Hash: e1ac451ce89556e803a14825d354c9f381667050d7a2b47b594947d4ac12393b
                                  • Instruction Fuzzy Hash: CA51E330520255BFEF369F28DC8AFAD3B68BB00354F64425AF614D71E2C7B1E9648B51
                                  Function 0027A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 002DDB1B
                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002DDB3C
                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002DDB51
                                  • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 002DDB6E
                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002DDB95
                                  • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0027A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 002DDBA0
                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 002DDBBD
                                  • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0027A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 002DDBC8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Icon$DestroyExtractImageLoadMessageSend
                                  • String ID:
                                  • API String ID: 1268354404-0
                                  • Opcode ID: e387ac55cc22cd23ff434c0673ae72f6f642b80681795f665715e767fbb1755c
                                  • Instruction ID: 6f2c5ca1baec97cd333f4ba34e70634c77dbb6239ec5eb122dc65cf729b8c8ca
                                  • Opcode Fuzzy Hash: e387ac55cc22cd23ff434c0673ae72f6f642b80681795f665715e767fbb1755c
                                  • Instruction Fuzzy Hash: 95519C30660609EFDB24DF64CC81FAE77B8BB58368F104519F94A9B2D0D7B0ACA0DB50
                                  Function 002A7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002A6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002A5FA6,?), ref: 002A6ED8
                                    • Part of subcall function 002A6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002A5FA6,?), ref: 002A6EF1
                                    • Part of subcall function 002A72CB: GetFileAttributesW.KERNEL32(?,002A6019), ref: 002A72CC
                                  • lstrcmpiW.KERNEL32(?,?), ref: 002A75CA
                                  • _wcscmp.LIBCMT ref: 002A75E2
                                  • MoveFileW.KERNEL32(?,?), ref: 002A75FB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                  • String ID:
                                  • API String ID: 793581249-0
                                  • Opcode ID: ad7b80685ed60898930b4cfb7af9368be4b09deccd37184ad0fac7013567c115
                                  • Instruction ID: 2f3553c8e5bef773ab8b901c91a6283c558e6530f34463c424d6432bbc42149d
                                  • Opcode Fuzzy Hash: ad7b80685ed60898930b4cfb7af9368be4b09deccd37184ad0fac7013567c115
                                  • Instruction Fuzzy Hash: A6514EB2A192199BDF50EF94DC85DDE73BC9F09310B0040AAFA05E3481EA74D6D9CF64
                                  Function 0027EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,002DDAD1,00000004,00000000,00000000), ref: 0027EAEB
                                  • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,002DDAD1,00000004,00000000,00000000), ref: 0027EB32
                                  • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,002DDAD1,00000004,00000000,00000000), ref: 002DDC86
                                  • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,002DDAD1,00000004,00000000,00000000), ref: 002DDCF2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ShowWindow
                                  • String ID:
                                  • API String ID: 1268545403-0
                                  • Opcode ID: 92b8ee3167fd6cf1af40083cbc0f2cb5b844e40177e1d8c2bbe947f82add7287
                                  • Instruction ID: 998fd3b0d7975b927b46d654985c5d1922cb8b926a1ad823705a708c6be297a3
                                  • Opcode Fuzzy Hash: 92b8ee3167fd6cf1af40083cbc0f2cb5b844e40177e1d8c2bbe947f82add7287
                                  • Instruction Fuzzy Hash: 30410A302346819ADF354F289DCDB2A7E95FB59308F1B948EE04F86661C6B07C60C731
                                  Function 0029B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0029AEF1,00000B00,?,?), ref: 0029B26C
                                  • HeapAlloc.KERNEL32(00000000,?,0029AEF1,00000B00,?,?), ref: 0029B273
                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0029AEF1,00000B00,?,?), ref: 0029B288
                                  • GetCurrentProcess.KERNEL32(?,00000000,?,0029AEF1,00000B00,?,?), ref: 0029B290
                                  • DuplicateHandle.KERNEL32(00000000,?,0029AEF1,00000B00,?,?), ref: 0029B293
                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0029AEF1,00000B00,?,?), ref: 0029B2A3
                                  • GetCurrentProcess.KERNEL32(0029AEF1,00000000,?,0029AEF1,00000B00,?,?), ref: 0029B2AB
                                  • DuplicateHandle.KERNEL32(00000000,?,0029AEF1,00000B00,?,?), ref: 0029B2AE
                                  • CreateThread.KERNEL32(00000000,00000000,0029B2D4,00000000,00000000,00000000), ref: 0029B2C8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                  • String ID:
                                  • API String ID: 1957940570-0
                                  • Opcode ID: 04f428c7e586096f2b6c66c36ee8bb5758c2230f11cb0b558c9f634645afaec0
                                  • Instruction ID: 55299a716a81b93df716252ce7aca00d6f62cbbbe7a256a7136cefdae739a18d
                                  • Opcode Fuzzy Hash: 04f428c7e586096f2b6c66c36ee8bb5758c2230f11cb0b558c9f634645afaec0
                                  • Instruction Fuzzy Hash: 4B01FBB5280344BFE710ABA5EC8DF6B3BACEB88700F008451FA14CF1A1CA719800CF21
                                  Function 002BC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: NULL Pointer assignment$Not an Object type
                                  • API String ID: 0-572801152
                                  • Opcode ID: d00c94181d57e6cd27e5445d801a874c41925dbecea6447839d4a4b9dd2de7bf
                                  • Instruction ID: c99e51f22b4046f3379a45aa3ce1b2e5634df79a0ccec49e418b71e5129eb1a1
                                  • Opcode Fuzzy Hash: d00c94181d57e6cd27e5445d801a874c41925dbecea6447839d4a4b9dd2de7bf
                                  • Instruction Fuzzy Hash: 1BE1C871A2021A9FDF15DF64C885BEEB7B9EF48394F244029F905AB281D770AD61CF90
                                  Function 002B16DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0026936C: __swprintf.LIBCMT ref: 002693AB
                                    • Part of subcall function 0026936C: __itow.LIBCMT ref: 002693DF
                                    • Part of subcall function 0027C6F4: _wcscpy.LIBCMT ref: 0027C717
                                  • _wcstok.LIBCMT ref: 002B184E
                                  • _wcscpy.LIBCMT ref: 002B18DD
                                  • _memset.LIBCMT ref: 002B1910
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                  • String ID: X$p21l21
                                  • API String ID: 774024439-3173266809
                                  • Opcode ID: 127e6c182234a0004812beb98bc0f2779cbb636b0e6af98efb11a88fdc414df8
                                  • Instruction ID: 0087bde3867dd8f0aa1e4cd63fa023b7abdee72c60e50f853f26c8e87bce4478
                                  • Opcode Fuzzy Hash: 127e6c182234a0004812beb98bc0f2779cbb636b0e6af98efb11a88fdc414df8
                                  • Instruction Fuzzy Hash: 5BC191356243419FC714EF24C895AAAB7E4BF85350F50496DF889972A2DB30EDA4CF82
                                  Function 002686C2 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 155COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: _memset
                                  • String ID: Q\E$[$\$\$]$^
                                  • API String ID: 2102423945-1026548749
                                  • Opcode ID: b9689a83d4b7bfadb66df9a9b564fa63f3d40c5ee48d9349f03d28daecd60d8e
                                  • Instruction ID: 4ed939ec9c8f3fd102f417f597e5f8a52d314cd6c349930110692bb61741b3b8
                                  • Opcode Fuzzy Hash: b9689a83d4b7bfadb66df9a9b564fa63f3d40c5ee48d9349f03d28daecd60d8e
                                  • Instruction Fuzzy Hash: 02518F71D2024A9BCF24CF98C9816EDB7B2EF94314F248266D818B7351E7709DE58B84
                                  Function 002C9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 002C9B19
                                  • SendMessageW.USER32(?,00001036,00000000,?), ref: 002C9B2D
                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002C9B47
                                  • _wcscat.LIBCMT ref: 002C9BA2
                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 002C9BB9
                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 002C9BE7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window_wcscat
                                  • String ID: SysListView32
                                  • API String ID: 307300125-78025650
                                  • Opcode ID: ccada7be75e6f81fc9fb5cc7d5258639e11468ee411d6db5ee59d2d13d00ebde
                                  • Instruction ID: 12b00cc3c11acbc13812f4d378ac1e9b84e0eb0d6d55d20def59f1b16d97504c
                                  • Opcode Fuzzy Hash: ccada7be75e6f81fc9fb5cc7d5258639e11468ee411d6db5ee59d2d13d00ebde
                                  • Instruction Fuzzy Hash: AA41EF70A50309ABDF21DFA4DC89FEE77A8EF08350F00052AF549A7291C6B19D94CB60
                                  Function 002C172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002A6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 002A6554
                                    • Part of subcall function 002A6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 002A6564
                                    • Part of subcall function 002A6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 002A65F9
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 002C179A
                                  • GetLastError.KERNEL32 ref: 002C17AD
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 002C17D9
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 002C1855
                                  • GetLastError.KERNEL32(00000000), ref: 002C1860
                                  • CloseHandle.KERNEL32(00000000), ref: 002C1895
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                  • String ID: SeDebugPrivilege
                                  • API String ID: 2533919879-2896544425
                                  • Opcode ID: 4f1ec9b379acfb9ba5fe99654e91b051e5a096f9fb37247573bb01013376d6a6
                                  • Instruction ID: a6d85f1284d19c508da964c0241da03eaa525375962bbfa31f56a93a300d2be4
                                  • Opcode Fuzzy Hash: 4f1ec9b379acfb9ba5fe99654e91b051e5a096f9fb37247573bb01013376d6a6
                                  • Instruction Fuzzy Hash: 0E41CD71620201AFEB05EF54CCE6F6EB7A1AF15700F04819DF9069F282DBB5A964CF91
                                  Function 002A5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadIconW.USER32(00000000,00007F03), ref: 002A58B8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: IconLoad
                                  • String ID: blank$info$question$stop$warning
                                  • API String ID: 2457776203-404129466
                                  • Opcode ID: d22e71144d38419d80b3de406e7d6583aa3551c1d40ad2abd6b59f87d19aeb14
                                  • Instruction ID: 4a19b4da7934970c62fbb4118ce64667d7529741c7861e2bb92146d85fa8b77f
                                  • Opcode Fuzzy Hash: d22e71144d38419d80b3de406e7d6583aa3551c1d40ad2abd6b59f87d19aeb14
                                  • Instruction Fuzzy Hash: F711EE36329B53BFE7055F559CC2DEF639C9F26314B20003AF600A51C1EFA899A04664
                                  Function 002AA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                  Download Yara Rule
                                  APIs
                                  • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 002AA806
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ArraySafeVartype
                                  • String ID:
                                  • API String ID: 1725837607-0
                                  • Opcode ID: 07649a32771174994dd3b53148fd645fca9e52ebfef2d1b2397e44d006d8927d
                                  • Instruction ID: 1ea60ffb7c300719059e89bedba8e2883009335361c9f7d378048acd658c4c8c
                                  • Opcode Fuzzy Hash: 07649a32771174994dd3b53148fd645fca9e52ebfef2d1b2397e44d006d8927d
                                  • Instruction Fuzzy Hash: DCC1C075A1121ADFDB00DF98D485BAEB7F4FF0A311F20806AE605EB241DB34A951CFA1
                                  Function 002A6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 002A6B63
                                  • LoadStringW.USER32(00000000), ref: 002A6B6A
                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 002A6B80
                                  • LoadStringW.USER32(00000000), ref: 002A6B87
                                  • _wprintf.LIBCMT ref: 002A6BAD
                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 002A6BCB
                                  Strings
                                  • %s (%d) : ==> %s: %s %s, xrefs: 002A6BA8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: HandleLoadModuleString$Message_wprintf
                                  • String ID: %s (%d) : ==> %s: %s %s
                                  • API String ID: 3648134473-3128320259
                                  • Opcode ID: 9411e30a90c36d475309cf3473f86b2c2f4fc68d4951b925f3a9ad08091a9bd6
                                  • Instruction ID: b1af727ffdfa31b52c78130b0fc935944f5f1644eeb8bd6bde467155b02c36ae
                                  • Opcode Fuzzy Hash: 9411e30a90c36d475309cf3473f86b2c2f4fc68d4951b925f3a9ad08091a9bd6
                                  • Instruction Fuzzy Hash: 760162F6540248BFEB11ABA0ADCDEF6726CD708304F4044A1B745EA041EA749E848F70
                                  Function 002C2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002C3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002C2BB5,?,?), ref: 002C3C1D
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002C2BF6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: BuffCharConnectRegistryUpper
                                  • String ID:
                                  • API String ID: 2595220575-0
                                  • Opcode ID: d2d11fb7be22bc9c4a0d823462bb8c5601928a118d72c8426872b1130e914014
                                  • Instruction ID: 1cbcc342c657bc166b97b065b223d3003560df1876a91abdd31af222a331fff9
                                  • Opcode Fuzzy Hash: d2d11fb7be22bc9c4a0d823462bb8c5601928a118d72c8426872b1130e914014
                                  • Instruction Fuzzy Hash: 5A915431214201DFCB01EF14C885F6EB7E5BF98310F14895DF99A9B2A2DB71A969CF42
                                  Function 002B95BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • select.WSOCK32 ref: 002B9691
                                  • WSAGetLastError.WSOCK32(00000000), ref: 002B969E
                                  • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 002B96C8
                                  • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 002B96E9
                                  • WSAGetLastError.WSOCK32(00000000), ref: 002B96F8
                                  • htons.WSOCK32(?,?,?,00000000,?), ref: 002B97AA
                                  • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,002FDC00), ref: 002B9765
                                    • Part of subcall function 0029D2FF: _strlen.LIBCMT ref: 0029D309
                                  • _strlen.LIBCMT ref: 002B9800
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                  • String ID:
                                  • API String ID: 3480843537-0
                                  • Opcode ID: a0349e2cf00f5d9644f25e5ef0ab0b74500cc76a5a4fc724955dc0efb2d70c97
                                  • Instruction ID: f60b7f332b7dcbb4704873438242bcc0bc9df269b8e925aa3bbb09a5efc9f60d
                                  • Opcode Fuzzy Hash: a0349e2cf00f5d9644f25e5ef0ab0b74500cc76a5a4fc724955dc0efb2d70c97
                                  • Instruction Fuzzy Hash: C881F031524240AFC710EF64CC85FABB7E8EF89714F104A1DF6599B292EB70D964CB92
                                  Function 0028A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __mtinitlocknum.LIBCMT ref: 0028A991
                                    • Part of subcall function 00287D7C: __FF_MSGBANNER.LIBCMT ref: 00287D91
                                    • Part of subcall function 00287D7C: __NMSG_WRITE.LIBCMT ref: 00287D98
                                    • Part of subcall function 00287D7C: __malloc_crt.LIBCMT ref: 00287DB8
                                  • __lock.LIBCMT ref: 0028A9A4
                                  • __lock.LIBCMT ref: 0028A9F0
                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00316DE0,00000018,00295E7B,?,00000000,00000109), ref: 0028AA0C
                                  • EnterCriticalSection.KERNEL32(8000000C,00316DE0,00000018,00295E7B,?,00000000,00000109), ref: 0028AA29
                                  • LeaveCriticalSection.KERNEL32(8000000C), ref: 0028AA39
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                  • String ID:
                                  • API String ID: 1422805418-0
                                  • Opcode ID: 83ebf07ff11470dfb25e45da9d85958e766dde0792353b91990ba9436a11964c
                                  • Instruction ID: 1a6fbe919cf7202cc46dd7ce012d775edc5328eadbf9d3058f17c55e3c529566
                                  • Opcode Fuzzy Hash: 83ebf07ff11470dfb25e45da9d85958e766dde0792353b91990ba9436a11964c
                                  • Instruction Fuzzy Hash: D5415B759222029BFB28AF68D94475CB7B46F00334F14821EE425AB5D1DFB49861CF82
                                  Function 002C8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteObject.GDI32(00000000), ref: 002C8EE4
                                  • GetDC.USER32(00000000), ref: 002C8EEC
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002C8EF7
                                  • ReleaseDC.USER32(00000000,00000000), ref: 002C8F03
                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 002C8F3F
                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002C8F50
                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,002CBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 002C8F8A
                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002C8FAA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                  • String ID:
                                  • API String ID: 3864802216-0
                                  • Opcode ID: 0f95a8bbb3959d1ee96651421b57c2795fa8a5746ab38118ebf055db392bdbf8
                                  • Instruction ID: d942b8260a7a2dc3cce39fa4271969b22c3077994c65b8b923116c9d08954223
                                  • Opcode Fuzzy Hash: 0f95a8bbb3959d1ee96651421b57c2795fa8a5746ab38118ebf055db392bdbf8
                                  • Instruction Fuzzy Hash: 55317F72140254BFEF108F50DC89FEA3BADEF49715F084169FE089E191C6B59851CB74
                                  Function 002D0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027B34E: GetWindowLongW.USER32(?,000000EB), ref: 0027B35F
                                  • GetSystemMetrics.USER32(0000000F), ref: 002D016D
                                  • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 002D038D
                                  • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 002D03AB
                                  • InvalidateRect.USER32(?,00000000,00000001,?), ref: 002D03D6
                                  • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 002D03FF
                                  • ShowWindow.USER32(00000003,00000000), ref: 002D0421
                                  • DefDlgProcW.USER32(?,00000005,?,?), ref: 002D0440
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                  • String ID:
                                  • API String ID: 3356174886-0
                                  • Opcode ID: 69dd216a57e88f19a785a73e64b2ac83c877715897f13b352bb7e807698cf342
                                  • Instruction ID: 5c379e3972fb27ad8f94b47379ebda577e046e28f43189bafb3f05f7266451a7
                                  • Opcode Fuzzy Hash: 69dd216a57e88f19a785a73e64b2ac83c877715897f13b352bb7e807698cf342
                                  • Instruction Fuzzy Hash: 9BA18C35610616EBDB18CF68C9C97BDBBB1BF48700F14815AEC54AB3A0D774AD61CB90
                                  Function 0027AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 73f3341e132cba3b3150662b13f219f9a97b0bfacd0e75da8fe866833c62d064
                                  • Instruction ID: f891cf01049d91fc150990e1fd16875044a1fff25b9599a122af46987b77c0fc
                                  • Opcode Fuzzy Hash: 73f3341e132cba3b3150662b13f219f9a97b0bfacd0e75da8fe866833c62d064
                                  • Instruction Fuzzy Hash: 29716C71910109AFCF14DF98CC89ABEBB74FF85324F24C149F919AA250C7319A21CF66
                                  Function 002C2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 002C225A
                                  • _memset.LIBCMT ref: 002C2323
                                  • ShellExecuteExW.SHELL32(?), ref: 002C2368
                                    • Part of subcall function 0026936C: __swprintf.LIBCMT ref: 002693AB
                                    • Part of subcall function 0026936C: __itow.LIBCMT ref: 002693DF
                                    • Part of subcall function 0027C6F4: _wcscpy.LIBCMT ref: 0027C717
                                  • CloseHandle.KERNEL32(00000000), ref: 002C242F
                                  • FreeLibrary.KERNEL32(00000000), ref: 002C243E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                  • String ID: @
                                  • API String ID: 4082843840-2766056989
                                  • Opcode ID: b7f4f563613b9b9bfcaa355c455ecca2093ebfb20428d9f4fb0ed7c2dadeb36d
                                  • Instruction ID: e6f276dd1a02f295a1919902f277d5f68fbb6aceaacac336ec6c02b22d386498
                                  • Opcode Fuzzy Hash: b7f4f563613b9b9bfcaa355c455ecca2093ebfb20428d9f4fb0ed7c2dadeb36d
                                  • Instruction Fuzzy Hash: E8715974A20619DFCF15EFA4C881A9EBBB5FF48310F108559E859AB391CB34AD64CF90
                                  Function 002A3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32(00000000), ref: 002A3C02
                                  • GetKeyboardState.USER32(?), ref: 002A3C17
                                  • SetKeyboardState.USER32(?), ref: 002A3C78
                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 002A3CA4
                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 002A3CC1
                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 002A3D05
                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 002A3D26
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessagePost$KeyboardState$Parent
                                  • String ID:
                                  • API String ID: 87235514-0
                                  • Opcode ID: e0d2db489048c17a0ccb794c96b8f02b6cd1f45496c9f254603889e227e66076
                                  • Instruction ID: 32f8f0bef636ec1e595cd1c6437b47a25e45a88bd8b2f27ff3ff00dfbe9c312e
                                  • Opcode Fuzzy Hash: e0d2db489048c17a0ccb794c96b8f02b6cd1f45496c9f254603889e227e66076
                                  • Instruction Fuzzy Hash: 5B51FAA05647D67FFB32CB348C45BB6BF995B07304F088489F0D55A4C2DA94EEA8D760
                                  Function 002C8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002C8FE7
                                  • GetWindowLongW.USER32(0114FF20,000000F0), ref: 002C901A
                                  • GetWindowLongW.USER32(0114FF20,000000F0), ref: 002C904F
                                  • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 002C9081
                                  • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 002C90AB
                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 002C90BC
                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 002C90D6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: LongWindow$MessageSend
                                  • String ID:
                                  • API String ID: 2178440468-0
                                  • Opcode ID: cf1f6c3a663c486c9ec3aca552fa825adaf37b57e3b048bc6f14e03e59c2d8d4
                                  • Instruction ID: 1a4c6b22a5b3d3950c1e11842b548a50b61c61a9da3de5b8b66df11dc8074ea7
                                  • Opcode Fuzzy Hash: cf1f6c3a663c486c9ec3aca552fa825adaf37b57e3b048bc6f14e03e59c2d8d4
                                  • Instruction Fuzzy Hash: 87315834650216DFDB21CF58EC88F6477AAFB5A314F144268F9198F2B1CB72AC91CB40
                                  Function 002A08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002A08F2
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002A0918
                                  • SysAllocString.OLEAUT32(00000000), ref: 002A091B
                                  • SysAllocString.OLEAUT32(?), ref: 002A0939
                                  • SysFreeString.OLEAUT32(?), ref: 002A0942
                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 002A0967
                                  • SysAllocString.OLEAUT32(?), ref: 002A0975
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                  • String ID:
                                  • API String ID: 3761583154-0
                                  • Opcode ID: 4d612fecc2c036fa48251e5668d1208054e81798a62d26089d74b2cf1e6ee7ea
                                  • Instruction ID: c703e16595fd4e5d25376eed142f06b3191ee9d30f2a511cc78676fde9501f45
                                  • Opcode Fuzzy Hash: 4d612fecc2c036fa48251e5668d1208054e81798a62d26089d74b2cf1e6ee7ea
                                  • Instruction Fuzzy Hash: 0F21A77661121AAFAB109F78DCC8DBB73ACEF09760B408525F919DB191DA70EC45CB60
                                  Function 002A2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __wcsnicmp
                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                  • API String ID: 1038674560-2734436370
                                  • Opcode ID: e01ed3c19ccb0e961c489ace200c6c9859a47dadf86150cbabc51c573409490d
                                  • Instruction ID: 5800e0e3f18f555de0eee55b8a9f10b04dcc54c84725e6b48ea2ad03510044e0
                                  • Opcode Fuzzy Hash: e01ed3c19ccb0e961c489ace200c6c9859a47dadf86150cbabc51c573409490d
                                  • Instruction Fuzzy Hash: 07213D32534122A7D224BF38DC12EB7B399FF57300FA04029F945A7081EEA1997AC795
                                  Function 002A0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002A09CB
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002A09F1
                                  • SysAllocString.OLEAUT32(00000000), ref: 002A09F4
                                  • SysAllocString.OLEAUT32 ref: 002A0A15
                                  • SysFreeString.OLEAUT32 ref: 002A0A1E
                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 002A0A38
                                  • SysAllocString.OLEAUT32(?), ref: 002A0A46
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                  • String ID:
                                  • API String ID: 3761583154-0
                                  • Opcode ID: 67382abc0e2cf47eec43dc0e4315a3b1ef8258cfd130b64232aff8fa38c6957f
                                  • Instruction ID: 67d89ce46f62412fdfed80e3e49a7beaff9c5081311f1a8c99f24bbf0ebc82fc
                                  • Opcode Fuzzy Hash: 67382abc0e2cf47eec43dc0e4315a3b1ef8258cfd130b64232aff8fa38c6957f
                                  • Instruction Fuzzy Hash: E0215375614205AFDB10DFA8DCC9DABB7ECEF093607408125FA09CF2A1EA71EC518B64
                                  Function 002CA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0027D1BA
                                    • Part of subcall function 0027D17C: GetStockObject.GDI32(00000011), ref: 0027D1CE
                                    • Part of subcall function 0027D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0027D1D8
                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002CA32D
                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002CA33A
                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002CA345
                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002CA354
                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002CA360
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend$CreateObjectStockWindow
                                  • String ID: Msctls_Progress32
                                  • API String ID: 1025951953-3636473452
                                  • Opcode ID: c7d332af5cc265265e8820975d1aa992a33d17996602635858c2610893184b0c
                                  • Instruction ID: e8e828e68b94c08c502663f6e83bca0812fb07e43713e57f879747114119c578
                                  • Opcode Fuzzy Hash: c7d332af5cc265265e8820975d1aa992a33d17996602635858c2610893184b0c
                                  • Instruction Fuzzy Hash: 131160B155021DBEEF155FA4CC85EEB7F6DFF09798F014215FA08A60A0C6729C21DBA4
                                  Function 0027CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClientRect.USER32(?,?), ref: 0027CCF6
                                  • GetWindowRect.USER32(?,?), ref: 0027CD37
                                  • ScreenToClient.USER32(?,?), ref: 0027CD5F
                                  • GetClientRect.USER32(?,?), ref: 0027CE8C
                                  • GetWindowRect.USER32(?,?), ref: 0027CEA5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Rect$Client$Window$Screen
                                  • String ID:
                                  • API String ID: 1296646539-0
                                  • Opcode ID: 4d8c593ab38a603abade1615a8be673b4926419495da9b28906dc117a39545e2
                                  • Instruction ID: c507e33d84a4a2dec2169f2ee6a1abfec60a60d4362d1aa4b6a7f063de92a4a1
                                  • Opcode Fuzzy Hash: 4d8c593ab38a603abade1615a8be673b4926419495da9b28906dc117a39545e2
                                  • Instruction Fuzzy Hash: 53B12A7992024ADBDF10CFA8C5847EDB7B1FF08310F25D52AEC59AB254DB70A960CB64
                                  Function 002C1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 002C1C18
                                  • Process32FirstW.KERNEL32(00000000,?), ref: 002C1C26
                                  • __wsplitpath.LIBCMT ref: 002C1C54
                                    • Part of subcall function 00281DFC: __wsplitpath_helper.LIBCMT ref: 00281E3C
                                  • _wcscat.LIBCMT ref: 002C1C69
                                  • Process32NextW.KERNEL32(00000000,?), ref: 002C1CDF
                                  • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 002C1CF1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                  • String ID:
                                  • API String ID: 1380811348-0
                                  • Opcode ID: 2e434e93eb996f4b963126a631fbaa49f6dfdf9536af4ab53c40349930c0d1e7
                                  • Instruction ID: edaa1f479015b2cb5aa52079d607c403f027b03d53ca00c9bdbf455adfac99bb
                                  • Opcode Fuzzy Hash: 2e434e93eb996f4b963126a631fbaa49f6dfdf9536af4ab53c40349930c0d1e7
                                  • Instruction Fuzzy Hash: BF518C711143409FD720EF24D886EABB7ECEF88754F00491EF58A97291EB709A24CB92
                                  Function 002C2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002C3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002C2BB5,?,?), ref: 002C3C1D
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002C30AF
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002C30EF
                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 002C3112
                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002C313B
                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 002C317E
                                  • RegCloseKey.ADVAPI32(00000000), ref: 002C318B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                  • String ID:
                                  • API String ID: 3451389628-0
                                  • Opcode ID: 5308a3c00bf30b43d54d9aa10b9a20e4f73ed7b1628b3dd43ff6a27b1e3d2693
                                  • Instruction ID: 3cd13f8c6afb31a262df3181abd1d67764f6ee4ebd142c5c3c2bc95344d2a77e
                                  • Opcode Fuzzy Hash: 5308a3c00bf30b43d54d9aa10b9a20e4f73ed7b1628b3dd43ff6a27b1e3d2693
                                  • Instruction Fuzzy Hash: B3516A31624300AFC700EF64C885E6AB7E9FF89304F04891DF589872A1DB71EA65CF52
                                  Function 002C84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetMenu.USER32(?), ref: 002C8540
                                  • GetMenuItemCount.USER32(00000000), ref: 002C8577
                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002C859F
                                  • GetMenuItemID.USER32(?,?), ref: 002C860E
                                  • GetSubMenu.USER32(?,?), ref: 002C861C
                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 002C866D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Menu$Item$CountMessagePostString
                                  • String ID:
                                  • API String ID: 650687236-0
                                  • Opcode ID: 015e4a57df238cb1fc1d241e7994bd27784bd22b5ff98abe7434b45e82f15a4b
                                  • Instruction ID: a7e5e8d1924f9fb56d16408d8f1137147fcda1b67d3ca8462266172063d8c0b2
                                  • Opcode Fuzzy Hash: 015e4a57df238cb1fc1d241e7994bd27784bd22b5ff98abe7434b45e82f15a4b
                                  • Instruction Fuzzy Hash: B8519C71A10215AFCF11EFA4C885AAEB7F8EF48310F118599E905BB391DB71AE518F90
                                  Function 002A4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 002A4B10
                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002A4B5B
                                  • IsMenu.USER32(00000000), ref: 002A4B7B
                                  • CreatePopupMenu.USER32 ref: 002A4BAF
                                  • GetMenuItemCount.USER32(000000FF), ref: 002A4C0D
                                  • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 002A4C3E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                  • String ID:
                                  • API String ID: 3311875123-0
                                  • Opcode ID: 71633704a2df021713963503bc471ba464bbbaa33c4eb0bf03dea1f3e83ef0eb
                                  • Instruction ID: fc81d24b092ce4ce60349d2b85c1b6472ee74ce584e6e0125531937debc2ff8b
                                  • Opcode Fuzzy Hash: 71633704a2df021713963503bc471ba464bbbaa33c4eb0bf03dea1f3e83ef0eb
                                  • Instruction Fuzzy Hash: CB51297091130ADFCF10EF64D888BADBBF5AF86318F10415AE4199B290DBF0D950CB21
                                  Function 002B8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,002FDC00), ref: 002B8E7C
                                  • WSAGetLastError.WSOCK32(00000000), ref: 002B8E89
                                  • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 002B8EAD
                                  • #16.WSOCK32(?,?,00000000,00000000), ref: 002B8EC5
                                  • _strlen.LIBCMT ref: 002B8EF7
                                  • WSAGetLastError.WSOCK32(00000000), ref: 002B8F6A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ErrorLast$_strlenselect
                                  • String ID:
                                  • API String ID: 2217125717-0
                                  • Opcode ID: 2b36b274e7f2835a2b05a457218f034b1a159f87d346dc734865f08b33e32a3e
                                  • Instruction ID: 1d006e2247293f98802a120c89cd49f888f4fc04e8eac6bb9f73493c4ab1e092
                                  • Opcode Fuzzy Hash: 2b36b274e7f2835a2b05a457218f034b1a159f87d346dc734865f08b33e32a3e
                                  • Instruction Fuzzy Hash: 1541AE71A20104AFCB14EFA4CD95EEEB7BEAF08354F204659F51A97291DF70AE50CB60
                                  Function 0027ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027B34E: GetWindowLongW.USER32(?,000000EB), ref: 0027B35F
                                  • BeginPaint.USER32(?,?,?), ref: 0027AC2A
                                  • GetWindowRect.USER32(?,?), ref: 0027AC8E
                                  • ScreenToClient.USER32(?,?), ref: 0027ACAB
                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0027ACBC
                                  • EndPaint.USER32(?,?,?,?,?), ref: 0027AD06
                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002DE673
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                  • String ID:
                                  • API String ID: 2592858361-0
                                  • Opcode ID: b304c303793883b2946dfdc8bdbaea770a9d3894d5be187452d2489345ec3109
                                  • Instruction ID: 5284269d07591f55b00939951e38b302bcc72980c1640b21f4b17040376dce0f
                                  • Opcode Fuzzy Hash: b304c303793883b2946dfdc8bdbaea770a9d3894d5be187452d2489345ec3109
                                  • Instruction Fuzzy Hash: 5A41B371114201AFC722DF24DC84F7A7BACEB59330F14466DF9A88B2A1C7719C55DB62
                                  Function 002CE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ShowWindow.USER32(00321628,00000000,00321628,00000000,00000000,00321628,?,002DDC5D,00000000,?,00000000,00000000,00000000,?,002DDAD1,00000004), ref: 002CE40B
                                  • EnableWindow.USER32(00000000,00000000), ref: 002CE42F
                                  • ShowWindow.USER32(00321628,00000000), ref: 002CE48F
                                  • ShowWindow.USER32(00000000,00000004), ref: 002CE4A1
                                  • EnableWindow.USER32(00000000,00000001), ref: 002CE4C5
                                  • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 002CE4E8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$Show$Enable$MessageSend
                                  • String ID:
                                  • API String ID: 642888154-0
                                  • Opcode ID: 7727fff359132d9ef783cc64d98c746159620f8b7fbb04f549503138b311da91
                                  • Instruction ID: 0f194436450331b222ba13974f246c3264faa1ff7859c274fdd1ee8368992702
                                  • Opcode Fuzzy Hash: 7727fff359132d9ef783cc64d98c746159620f8b7fbb04f549503138b311da91
                                  • Instruction Fuzzy Hash: A4415030611542EFDF2ACF24D499FA47BE1BF09304F5942A9EA5C8F2A2C731E851CB61
                                  Function 002A98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 002A98D1
                                    • Part of subcall function 0027F4EA: std::exception::exception.LIBCMT ref: 0027F51E
                                    • Part of subcall function 0027F4EA: __CxxThrowException@8.LIBCMT ref: 0027F533
                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 002A9908
                                  • EnterCriticalSection.KERNEL32(?), ref: 002A9924
                                  • LeaveCriticalSection.KERNEL32(?), ref: 002A999E
                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 002A99B3
                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 002A99D2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                  • String ID:
                                  • API String ID: 2537439066-0
                                  • Opcode ID: 92a5d0683c8693130495f4cb4f8878143c46b1159c9839f987e99552be0e5068
                                  • Instruction ID: e3f5e2803190a142a5850b2434fd3bdeb3139e825351c1b5e5f45903dd3a6562
                                  • Opcode Fuzzy Hash: 92a5d0683c8693130495f4cb4f8878143c46b1159c9839f987e99552be0e5068
                                  • Instruction Fuzzy Hash: 4F315031900105EBDB109F95DD89AABB7B8FF45310B1480A9E904AB246DB70DE24DBA1
                                  Function 002B9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32(?,?,?,?,?,?,002B77F4,?,?,00000000,00000001), ref: 002B9B53
                                    • Part of subcall function 002B6544: GetWindowRect.USER32(?,?), ref: 002B6557
                                  • GetDesktopWindow.USER32 ref: 002B9B7D
                                  • GetWindowRect.USER32(00000000), ref: 002B9B84
                                  • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 002B9BB6
                                    • Part of subcall function 002A7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 002A7AD0
                                  • GetCursorPos.USER32(?), ref: 002B9BE2
                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002B9C44
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                  • String ID:
                                  • API String ID: 4137160315-0
                                  • Opcode ID: 9f8ae11203064b1c32153f77823c6bdb00b5c9c2c8df48511ddd590ed4f36a28
                                  • Instruction ID: 2ce5a52661d6cd65c4a0af487848532800b38bb98ee154bc6e327ce4a651c732
                                  • Opcode Fuzzy Hash: 9f8ae11203064b1c32153f77823c6bdb00b5c9c2c8df48511ddd590ed4f36a28
                                  • Instruction Fuzzy Hash: 1131E172244356AFC710DF18EC89F9AB7E9FF89354F00092AF685D7181DA31E954CB91
                                  Function 0029AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0029AFAE
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 0029AFB5
                                  • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0029AFC4
                                  • CloseHandle.KERNEL32(00000004), ref: 0029AFCF
                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0029AFFE
                                  • DestroyEnvironmentBlock.USERENV(00000000), ref: 0029B012
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                  • String ID:
                                  • API String ID: 1413079979-0
                                  • Opcode ID: f9b721ca0929a7e7b78e93639f5cdbbb8ab02ce7df91ef5815e1346873aed374
                                  • Instruction ID: c8df759d0a7be18f4a6f6dda0257ef1de6cb2a12768404981a93ace27ecdfe17
                                  • Opcode Fuzzy Hash: f9b721ca0929a7e7b78e93639f5cdbbb8ab02ce7df91ef5815e1346873aed374
                                  • Instruction Fuzzy Hash: F8218B7215034AAFCF028FA8ED49FAE7BA9EF44304F144025FA01A6161C3769D20EBA1
                                  Function 002CEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0027AFE3
                                    • Part of subcall function 0027AF83: SelectObject.GDI32(?,00000000), ref: 0027AFF2
                                    • Part of subcall function 0027AF83: BeginPath.GDI32(?), ref: 0027B009
                                    • Part of subcall function 0027AF83: SelectObject.GDI32(?,00000000), ref: 0027B033
                                  • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 002CEC20
                                  • LineTo.GDI32(00000000,00000003,?), ref: 002CEC34
                                  • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 002CEC42
                                  • LineTo.GDI32(00000000,00000000,?), ref: 002CEC52
                                  • EndPath.GDI32(00000000), ref: 002CEC62
                                  • StrokePath.GDI32(00000000), ref: 002CEC72
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                  • String ID:
                                  • API String ID: 43455801-0
                                  • Opcode ID: 159c370effeb0d75ed92f7b245b27fb7b63cfb55f6c2f946acbc80113d8bb102
                                  • Instruction ID: 3838535416c91423865e36a819ab1d46538a25d25b63812b50f5bd8df1b7e2b9
                                  • Opcode Fuzzy Hash: 159c370effeb0d75ed92f7b245b27fb7b63cfb55f6c2f946acbc80113d8bb102
                                  • Instruction Fuzzy Hash: E7110972040149BFEF129F90ED88FEA7F6DEB08360F048116BE088A160D7719E55DBA0
                                  Function 0029E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDC.USER32(00000000), ref: 0029E1C0
                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 0029E1D1
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0029E1D8
                                  • ReleaseDC.USER32(00000000,00000000), ref: 0029E1E0
                                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0029E1F7
                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 0029E209
                                    • Part of subcall function 00299AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00299A05,00000000,00000000,?,00299DDB), ref: 0029A53A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CapsDevice$ExceptionRaiseRelease
                                  • String ID:
                                  • API String ID: 603618608-0
                                  • Opcode ID: aa1d22ac827f8ff5a78df88425f6581b47992533ac611e500c33fee198e43a8d
                                  • Instruction ID: 255ead9afc6c4cfc60ee7869512e0ce68b1ac35968dc742ba0032ca559278b06
                                  • Opcode Fuzzy Hash: aa1d22ac827f8ff5a78df88425f6581b47992533ac611e500c33fee198e43a8d
                                  • Instruction Fuzzy Hash: DC0184B5A40255BFEF109FA59C49B5EBFB9EB48351F044066EA08AB290D6719C00CF60
                                  Function 00287B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __init_pointers.LIBCMT ref: 00287B47
                                    • Part of subcall function 0028123A: __initp_misc_winsig.LIBCMT ref: 0028125E
                                    • Part of subcall function 0028123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00287F51
                                    • Part of subcall function 0028123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00287F65
                                    • Part of subcall function 0028123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00287F78
                                    • Part of subcall function 0028123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00287F8B
                                    • Part of subcall function 0028123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00287F9E
                                    • Part of subcall function 0028123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00287FB1
                                    • Part of subcall function 0028123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00287FC4
                                    • Part of subcall function 0028123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00287FD7
                                    • Part of subcall function 0028123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00287FEA
                                    • Part of subcall function 0028123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00287FFD
                                    • Part of subcall function 0028123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00288010
                                    • Part of subcall function 0028123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00288023
                                    • Part of subcall function 0028123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00288036
                                    • Part of subcall function 0028123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00288049
                                    • Part of subcall function 0028123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0028805C
                                    • Part of subcall function 0028123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0028806F
                                  • __mtinitlocks.LIBCMT ref: 00287B4C
                                    • Part of subcall function 00287E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0031AC68,00000FA0,?,?,00287B51,00285E77,00316C70,00000014), ref: 00287E41
                                  • __mtterm.LIBCMT ref: 00287B55
                                    • Part of subcall function 00287BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00287B5A,00285E77,00316C70,00000014), ref: 00287D3F
                                    • Part of subcall function 00287BBD: _free.LIBCMT ref: 00287D46
                                    • Part of subcall function 00287BBD: DeleteCriticalSection.KERNEL32(0031AC68,?,?,00287B5A,00285E77,00316C70,00000014), ref: 00287D68
                                  • __calloc_crt.LIBCMT ref: 00287B7A
                                  • GetCurrentThreadId.KERNEL32 ref: 00287BA3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                  • String ID:
                                  • API String ID: 2942034483-0
                                  • Opcode ID: f8a780894458fa68900413ea1e1a04fde507a9dd5642d4125e1a02f3f61e7ed8
                                  • Instruction ID: 3ace0f8b25f5de0267f9276278c5bee28c0d2b1f98e00484b7327c392f77525d
                                  • Opcode Fuzzy Hash: f8a780894458fa68900413ea1e1a04fde507a9dd5642d4125e1a02f3f61e7ed8
                                  • Instruction Fuzzy Hash: 31F0963A13F75219E6257B347C06A4A26C59F02739F304699F874C50D2FF20C8724B61
                                  Function 002627EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0026281D
                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 00262825
                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00262830
                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0026283B
                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 00262843
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0026284B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Virtual
                                  • String ID:
                                  • API String ID: 4278518827-0
                                  • Opcode ID: 648c368b411a845c0aa78b2f9888b9c3a7d341cedd6436b74d48bdd9831a6669
                                  • Instruction ID: fc0651907c7162a90ba9f5d3c21b48f31f5bb7b9b0daaa44e69ba934f904c28c
                                  • Opcode Fuzzy Hash: 648c368b411a845c0aa78b2f9888b9c3a7d341cedd6436b74d48bdd9831a6669
                                  • Instruction Fuzzy Hash: F70167B0942B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5
                                  Function 002A9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                  • String ID:
                                  • API String ID: 1423608774-0
                                  • Opcode ID: 7a82e3046545c1b4402474534a47820b82f03c2a50136cc1e4e3d0d9ba936b14
                                  • Instruction ID: fd56f01527d61787f9b3ace628b7a233a08453557ce0a630c129362235ae2b06
                                  • Opcode Fuzzy Hash: 7a82e3046545c1b4402474534a47820b82f03c2a50136cc1e4e3d0d9ba936b14
                                  • Instruction Fuzzy Hash: B901D632251212EBD7141F59FC9CDEB7769FF89301704042AFA039A0A2DF65AC50CB50
                                  Function 002A7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002A7C07
                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 002A7C1D
                                  • GetWindowThreadProcessId.USER32(?,?), ref: 002A7C2C
                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002A7C3B
                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002A7C45
                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002A7C4C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                  • String ID:
                                  • API String ID: 839392675-0
                                  • Opcode ID: fc987084b088c5ee85b353702f0918a1731779a5f2266814b4a8ee80adb3ac84
                                  • Instruction ID: 6916a9e79089fe8c8fa69c556e61a9583281425403eec14d80cc563c43a064d3
                                  • Opcode Fuzzy Hash: fc987084b088c5ee85b353702f0918a1731779a5f2266814b4a8ee80adb3ac84
                                  • Instruction Fuzzy Hash: 19F03A72281198BBE7215B52BC4EEEF7B7CEFC6B11F000059FA0599051EBA05A41C6B5
                                  Function 002A9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • InterlockedExchange.KERNEL32(?,?), ref: 002A9A33
                                  • EnterCriticalSection.KERNEL32(?,?,?,?,002D5DEE,?,?,?,?,?,0026ED63), ref: 002A9A44
                                  • TerminateThread.KERNEL32(?,000001F6,?,?,?,002D5DEE,?,?,?,?,?,0026ED63), ref: 002A9A51
                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,002D5DEE,?,?,?,?,?,0026ED63), ref: 002A9A5E
                                    • Part of subcall function 002A93D1: CloseHandle.KERNEL32(?,?,002A9A6B,?,?,?,002D5DEE,?,?,?,?,?,0026ED63), ref: 002A93DB
                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 002A9A71
                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,002D5DEE,?,?,?,?,?,0026ED63), ref: 002A9A78
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                  • String ID:
                                  • API String ID: 3495660284-0
                                  • Opcode ID: ec437067a940e8c558cbf4f7ea88bf3233b904cddb19a773137890a885982e64
                                  • Instruction ID: 802d13a83ceca06e3b993d716693a2c80c032a5aa8821e0862a96bc44572930c
                                  • Opcode Fuzzy Hash: ec437067a940e8c558cbf4f7ea88bf3233b904cddb19a773137890a885982e64
                                  • Instruction Fuzzy Hash: A7F05E32181252EBD7111BA4FCDDDAA7739FF85301B140426FA03990A2DF769851DB51
                                  Function 00261CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027F4EA: std::exception::exception.LIBCMT ref: 0027F51E
                                    • Part of subcall function 0027F4EA: __CxxThrowException@8.LIBCMT ref: 0027F533
                                  • __swprintf.LIBCMT ref: 00261EA6
                                  Strings
                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00261D49
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Exception@8Throw__swprintfstd::exception::exception
                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                  • API String ID: 2125237772-557222456
                                  • Opcode ID: 214f1fd97f37e4c433023dde6e7f0cc95b3614dfb87409bb050ab2b0d4e0c01d
                                  • Instruction ID: dfd6318fa4af2f879183b41a433127b1cfc78c2ae90f28ec5685dd8aa6766339
                                  • Opcode Fuzzy Hash: 214f1fd97f37e4c433023dde6e7f0cc95b3614dfb87409bb050ab2b0d4e0c01d
                                  • Instruction Fuzzy Hash: E591AD711242029FCB24EF24C895C6EB7B8BF95700F14491EF886972A1DB71EDA4CF92
                                  Function 002BAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                  Download Yara Rule
                                  APIs
                                  • VariantInit.OLEAUT32(?), ref: 002BB006
                                  • CharUpperBuffW.USER32(?,?), ref: 002BB115
                                  • VariantClear.OLEAUT32(?), ref: 002BB298
                                    • Part of subcall function 002A9DC5: VariantInit.OLEAUT32(00000000), ref: 002A9E05
                                    • Part of subcall function 002A9DC5: VariantCopy.OLEAUT32(?,?), ref: 002A9E0E
                                    • Part of subcall function 002A9DC5: VariantClear.OLEAUT32(?), ref: 002A9E1A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Variant$ClearInit$BuffCharCopyUpper
                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                  • API String ID: 4237274167-1221869570
                                  • Opcode ID: 4fc6869d6ca0a2ee431dfd7b5da1a14823dd417e234e89988595757a97e13120
                                  • Instruction ID: 8969d5f5d9dab35ff25f924cc12bf0bf2ae565ba9f1b4706b45fc447d8a7f1bb
                                  • Opcode Fuzzy Hash: 4fc6869d6ca0a2ee431dfd7b5da1a14823dd417e234e89988595757a97e13120
                                  • Instruction Fuzzy Hash: AA918C306283019FCB11EF24C4849AABBF4EF89744F14486DF89A9B361DB71E955CF52
                                  Function 002A5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027C6F4: _wcscpy.LIBCMT ref: 0027C717
                                  • _memset.LIBCMT ref: 002A5438
                                  • GetMenuItemInfoW.USER32(?), ref: 002A5467
                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002A5513
                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 002A553D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ItemMenu$Info$Default_memset_wcscpy
                                  • String ID: 0
                                  • API String ID: 4152858687-4108050209
                                  • Opcode ID: 974e6f675e569a48f41405cd800a28bbb4cde909fa9ab5252f92ae5ac8ea4d19
                                  • Instruction ID: 245fb1a1ae7b3c8617d11a8c4b577bbb571ec9c7c28eb9ae0aef812d6a33b012
                                  • Opcode Fuzzy Hash: 974e6f675e569a48f41405cd800a28bbb4cde909fa9ab5252f92ae5ac8ea4d19
                                  • Instruction Fuzzy Hash: 965133719347229BD711AF28C8846ABB7E9EF8B310F44062EF895D3191DFB0CD648B52
                                  Function 002A0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002A027B
                                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 002A02B1
                                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 002A02C2
                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002A0344
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ErrorMode$AddressCreateInstanceProc
                                  • String ID: DllGetClassObject
                                  • API String ID: 753597075-1075368562
                                  • Opcode ID: 23341a51a498a3c4e2c2cce4b78e86180b65c9a5267ebc7b66caf0662b2f966a
                                  • Instruction ID: f16debc525f4809d1c50aec308951e62ea549a244e1e503c0a4afe549491650d
                                  • Opcode Fuzzy Hash: 23341a51a498a3c4e2c2cce4b78e86180b65c9a5267ebc7b66caf0662b2f966a
                                  • Instruction Fuzzy Hash: CB414AB1620205AFDF05CF54C8C4B9A7BB9EF4A311B1480E9A9099F206DBB1DD54CBA0
                                  Function 002A5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 002A5075
                                  • GetMenuItemInfoW.USER32 ref: 002A5091
                                  • DeleteMenu.USER32(00000004,00000007,00000000), ref: 002A50D7
                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00321708,00000000), ref: 002A5120
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Menu$Delete$InfoItem_memset
                                  • String ID: 0
                                  • API String ID: 1173514356-4108050209
                                  • Opcode ID: 2d18e9a20449a151709acda71bb88a9e5109cc8e6dd7f701d1364c55bfbe5523
                                  • Instruction ID: ef788a90b32c08f1b68088a05a3c7980bf45c2f9327ae3f0bb48a0d33252d7e3
                                  • Opcode Fuzzy Hash: 2d18e9a20449a151709acda71bb88a9e5109cc8e6dd7f701d1364c55bfbe5523
                                  • Instruction Fuzzy Hash: 5C41E371214712AFD720DF24D884B2BB7E8AF8A324F04465EF85997291DB70E914CF62
                                  Function 002C0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                  Download Yara Rule
                                  APIs
                                  • CharLowerBuffW.USER32(?,?,?,?), ref: 002C0587
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: BuffCharLower
                                  • String ID: cdecl$none$stdcall$winapi
                                  • API String ID: 2358735015-567219261
                                  • Opcode ID: ad00bbd9e964bad486ff186f6ab1a05a5655a4d50154542a8284f802e6f9b380
                                  • Instruction ID: c1b8fe12fa45be95b3175c6e5a1018f0b75d47f2427685edb1b76e4d3a402531
                                  • Opcode Fuzzy Hash: ad00bbd9e964bad486ff186f6ab1a05a5655a4d50154542a8284f802e6f9b380
                                  • Instruction Fuzzy Hash: 6231B274520216ABCF01EF54CC81AEEB3B8FF58314B10862DE42AA72D1DB71A975CF50
                                  Function 0029B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0029B88E
                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0029B8A1
                                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 0029B8D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 3850602802-1403004172
                                  • Opcode ID: 030f5905b482a853d7fda46c2cc5e9b930d75e8fba67fd6dfdc38c041e2caf50
                                  • Instruction ID: 590e3c3cdbec550d6eea31ee4daca474651bce7edbc9baed20f74620927351e1
                                  • Opcode Fuzzy Hash: 030f5905b482a853d7fda46c2cc5e9b930d75e8fba67fd6dfdc38c041e2caf50
                                  • Instruction Fuzzy Hash: 7E21E172920108AFDF09AFA4E98A9FE777CEF09350B204129F065A71E0DB744D669B60
                                  Function 002B43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002B4401
                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002B4427
                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002B4457
                                  • InternetCloseHandle.WININET(00000000), ref: 002B449E
                                    • Part of subcall function 002B5052: GetLastError.KERNEL32(?,?,002B43CC,00000000,00000000,00000001), ref: 002B5067
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                  • String ID:
                                  • API String ID: 1951874230-3916222277
                                  • Opcode ID: 87d1f6409aba9f2c74c635721702ee93954212b1a290cd4093c567d2fcf265fc
                                  • Instruction ID: e026e8193926dcaca1946ab1437fb977678cc78fe38fe8debdd8d81e845b410f
                                  • Opcode Fuzzy Hash: 87d1f6409aba9f2c74c635721702ee93954212b1a290cd4093c567d2fcf265fc
                                  • Instruction Fuzzy Hash: FA21B0B5550208BEE711AF54DCC4FFBB7FCEB48784F10841AF20596141EA749D259B71
                                  Function 002C90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0027D1BA
                                    • Part of subcall function 0027D17C: GetStockObject.GDI32(00000011), ref: 0027D1CE
                                    • Part of subcall function 0027D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0027D1D8
                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002C915C
                                  • LoadLibraryW.KERNEL32(?), ref: 002C9163
                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002C9178
                                  • DestroyWindow.USER32(?), ref: 002C9180
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                  • String ID: SysAnimate32
                                  • API String ID: 4146253029-1011021900
                                  • Opcode ID: c977c97ae958da9df8876dd403af6bbdf3d51f57164ea80ff6e3f1aa4095e2e2
                                  • Instruction ID: 7aa68210e27c61debba889b4a9283d005d3abf37670fba619d864044b26363c1
                                  • Opcode Fuzzy Hash: c977c97ae958da9df8876dd403af6bbdf3d51f57164ea80ff6e3f1aa4095e2e2
                                  • Instruction Fuzzy Hash: 0E21AF71220207BBEF104F649C8EFBA37ADEF59364F14031CF91896190C7B18CA1AB60
                                  Function 002A9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(0000000C), ref: 002A9588
                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002A95B9
                                  • GetStdHandle.KERNEL32(0000000C), ref: 002A95CB
                                  • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 002A9605
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CreateHandle$FilePipe
                                  • String ID: nul
                                  • API String ID: 4209266947-2873401336
                                  • Opcode ID: b44e301d573807109257e6ff9b9cc0fe122da6a9db353b8b55032c29f2a89376
                                  • Instruction ID: 055c401935fdbbb8982b79c207dc2a90898d6c90ce39e7e35d5aea34adaabc03
                                  • Opcode Fuzzy Hash: b44e301d573807109257e6ff9b9cc0fe122da6a9db353b8b55032c29f2a89376
                                  • Instruction Fuzzy Hash: 1F2165709103069FDB159F26DC46A9A77F8AF46720F604A19FD61DB2D0DB70D9A4CF10
                                  Function 002A9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F6), ref: 002A9653
                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002A9683
                                  • GetStdHandle.KERNEL32(000000F6), ref: 002A9694
                                  • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 002A96CE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CreateHandle$FilePipe
                                  • String ID: nul
                                  • API String ID: 4209266947-2873401336
                                  • Opcode ID: 8d1103bdf0ae95e91a02a3877eaea2d15a4087f34f34a4ecfd573fe97dec792e
                                  • Instruction ID: 2ba9522ca8d94fcba243df424f5848f3a569e5458ffddf0bbab649fef7779f75
                                  • Opcode Fuzzy Hash: 8d1103bdf0ae95e91a02a3877eaea2d15a4087f34f34a4ecfd573fe97dec792e
                                  • Instruction Fuzzy Hash: 4E2174715602069FDB249F6A9C44E9A77ECAF46B20F200A19FEA1D72D0DF7098A1CB50
                                  Function 002ADAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 002ADB0A
                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 002ADB5E
                                  • __swprintf.LIBCMT ref: 002ADB77
                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000,002FDC00), ref: 002ADBB5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ErrorMode$InformationVolume__swprintf
                                  • String ID: %lu
                                  • API String ID: 3164766367-685833217
                                  • Opcode ID: 2d971fd713d1ad5f1e17b97bcad241a3ec566e95106a97318381d03704d5f613
                                  • Instruction ID: 07694a98d877cad2509aa4a5cb5bfa760189114bebcd8ce507caab4ee60901f5
                                  • Opcode Fuzzy Hash: 2d971fd713d1ad5f1e17b97bcad241a3ec566e95106a97318381d03704d5f613
                                  • Instruction Fuzzy Hash: 8C21A735610148AFCB10EFA4DD85DEEB7B8EF49704B104069F509EB251DB70EA51CF61
                                  Function 0029C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0029C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0029C84A
                                    • Part of subcall function 0029C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0029C85D
                                    • Part of subcall function 0029C82D: GetCurrentThreadId.KERNEL32 ref: 0029C864
                                    • Part of subcall function 0029C82D: AttachThreadInput.USER32(00000000), ref: 0029C86B
                                  • GetFocus.USER32 ref: 0029CA05
                                    • Part of subcall function 0029C876: GetParent.USER32(?), ref: 0029C884
                                  • GetClassNameW.USER32(?,?,00000100), ref: 0029CA4E
                                  • EnumChildWindows.USER32(?,0029CAC4), ref: 0029CA76
                                  • __swprintf.LIBCMT ref: 0029CA90
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                  • String ID: %s%d
                                  • API String ID: 3187004680-1110647743
                                  • Opcode ID: 7263dbd0d4394c15ae7b70d10b794e42dd510c0227c42195368a1054727f1a6b
                                  • Instruction ID: 846d977ba238ce9a05949fcd5c962ef0d4c3f8f059cb63d422f47c8938c8609c
                                  • Opcode Fuzzy Hash: 7263dbd0d4394c15ae7b70d10b794e42dd510c0227c42195368a1054727f1a6b
                                  • Instruction Fuzzy Hash: 951184755202097BDF11BFA09CC9FE9376CAF44714F10806AFE08AA186CB709965DF70
                                  Function 00287A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __lock.LIBCMT ref: 00287AD8
                                    • Part of subcall function 00287CF4: __mtinitlocknum.LIBCMT ref: 00287D06
                                    • Part of subcall function 00287CF4: EnterCriticalSection.KERNEL32(00000000,?,00287ADD,0000000D), ref: 00287D1F
                                  • InterlockedIncrement.KERNEL32(?), ref: 00287AE5
                                  • __lock.LIBCMT ref: 00287AF9
                                  • ___addlocaleref.LIBCMT ref: 00287B17
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                  • String ID: `.
                                  • API String ID: 1687444384-2461250857
                                  • Opcode ID: 4523423708bae2b482021465026e86728e2173d39d1a4b918bd142bd9d71f654
                                  • Instruction ID: 44ce1392c27b6170da622cd84488903775b297e99ceddf592b15dc42f2638b7a
                                  • Opcode Fuzzy Hash: 4523423708bae2b482021465026e86728e2173d39d1a4b918bd142bd9d71f654
                                  • Instruction Fuzzy Hash: 4F016D79456B00DFD721EF75D90A74AB7F0AF44325F20890EE49A976E0CBB0A690CF11
                                  Function 002CE32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 002CE33D
                                  • _memset.LIBCMT ref: 002CE34C
                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00323D00,00323D44), ref: 002CE37B
                                  • CloseHandle.KERNEL32 ref: 002CE38D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: _memset$CloseCreateHandleProcess
                                  • String ID: D=2
                                  • API String ID: 3277943733-720233776
                                  • Opcode ID: 66fd13cafb2c88eedc2ae9f018f0bff0aeb2ec6835071df6679f1450d02c4c06
                                  • Instruction ID: cfd5b607a392ab5dbb81703c00ca672c486672055db215841b71990f9f03f7be
                                  • Opcode Fuzzy Hash: 66fd13cafb2c88eedc2ae9f018f0bff0aeb2ec6835071df6679f1450d02c4c06
                                  • Instruction Fuzzy Hash: 2DF089F5650354BEE3112B61BC45F777E5CD704754F404425FF04DA1A2D3795D118BA4
                                  Function 002C1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 002C19F3
                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 002C1A26
                                  • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 002C1B49
                                  • CloseHandle.KERNEL32(?), ref: 002C1BBF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                  • String ID:
                                  • API String ID: 2364364464-0
                                  • Opcode ID: cfa073cb26b9970f5db47d103e869201b7d9cf943c3b21ddc84a297efef1ffce
                                  • Instruction ID: f32c6f0f9217046508a933559fefc739d1428efd26659e6408014f8444cccd5b
                                  • Opcode Fuzzy Hash: cfa073cb26b9970f5db47d103e869201b7d9cf943c3b21ddc84a297efef1ffce
                                  • Instruction Fuzzy Hash: 98819070620205EBDF119F64C896BAEBBE5EF04720F14C459F909AF382D7B4AD618F90
                                  Function 002CE062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 002CE1D5
                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 002CE20D
                                  • IsDlgButtonChecked.USER32(?,00000001), ref: 002CE248
                                  • GetWindowLongW.USER32(?,000000EC), ref: 002CE269
                                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 002CE281
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend$ButtonCheckedLongWindow
                                  • String ID:
                                  • API String ID: 3188977179-0
                                  • Opcode ID: 8e45eeaf1db8fac6280022db95aa7111d22f1d1d2872b418a88b12ff6240a9b2
                                  • Instruction ID: 48ffdc4ed053bb6e16b71c6127c05cb9a6d8e0e0947d61c3d4182e02611bcb1c
                                  • Opcode Fuzzy Hash: 8e45eeaf1db8fac6280022db95aa7111d22f1d1d2872b418a88b12ff6240a9b2
                                  • Instruction Fuzzy Hash: E861C174A60245AFDF21CF18C884FAE77BAEF49300F0A425DF85997291C7B0AD60CB51
                                  Function 002A1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                  Download Yara Rule
                                  APIs
                                  • VariantInit.OLEAUT32(?), ref: 002A1CB4
                                  • VariantClear.OLEAUT32(00000013), ref: 002A1D26
                                  • VariantClear.OLEAUT32(00000000), ref: 002A1D81
                                  • VariantClear.OLEAUT32(?), ref: 002A1DF8
                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 002A1E26
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Variant$Clear$ChangeInitType
                                  • String ID:
                                  • API String ID: 4136290138-0
                                  • Opcode ID: e2923043a581e13790c7c466f98a4c7aa205115a133efe84f79f045c8f6dec1f
                                  • Instruction ID: 76f277c2971e7c317cc091ece94b6e2ef6216db09bc9203a31090c4c16767353
                                  • Opcode Fuzzy Hash: e2923043a581e13790c7c466f98a4c7aa205115a133efe84f79f045c8f6dec1f
                                  • Instruction Fuzzy Hash: 7D5148B5A10209AFDB14CF58C884AAAB7B8FF4D314F158559E959DB340D730EA61CBA0
                                  Function 002C0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0026936C: __swprintf.LIBCMT ref: 002693AB
                                    • Part of subcall function 0026936C: __itow.LIBCMT ref: 002693DF
                                  • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 002C06EE
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 002C077D
                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 002C079B
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 002C07E1
                                  • FreeLibrary.KERNEL32(00000000,00000004), ref: 002C07FB
                                    • Part of subcall function 0027E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,002AA574,?,?,00000000,00000008), ref: 0027E675
                                    • Part of subcall function 0027E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,002AA574,?,?,00000000,00000008), ref: 0027E699
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                  • String ID:
                                  • API String ID: 327935632-0
                                  • Opcode ID: 76fd60772c7ef048890cf1af181f1b67c23bfbb17898d27a87b889491c5eef19
                                  • Instruction ID: 461e5cbe8894124ef33419a5270286eae23fce6b4fa9486b6ba0dbdf9727de9a
                                  • Opcode Fuzzy Hash: 76fd60772c7ef048890cf1af181f1b67c23bfbb17898d27a87b889491c5eef19
                                  • Instruction Fuzzy Hash: EE515A75A10209DFCB04EFA8C4C5EADB7B5BF08310B148199E919AB352DB30ED55CF90
                                  Function 002C2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002C3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002C2BB5,?,?), ref: 002C3C1D
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002C2EEF
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002C2F2E
                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 002C2F75
                                  • RegCloseKey.ADVAPI32(?,?), ref: 002C2FA1
                                  • RegCloseKey.ADVAPI32(00000000), ref: 002C2FAE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                  • String ID:
                                  • API String ID: 3740051246-0
                                  • Opcode ID: 7fe02cac431fe7587aa9c6fc41c760a52c178541d3cb3eefa8ca49f01e50ecac
                                  • Instruction ID: a4d52922684351509f6e29d3957575851bf4643260899ae7b1bd46f473ae1aa1
                                  • Opcode Fuzzy Hash: 7fe02cac431fe7587aa9c6fc41c760a52c178541d3cb3eefa8ca49f01e50ecac
                                  • Instruction Fuzzy Hash: 3A514771628208EFC704EF64C881F6AB7F9BF88304F14891DB595972A1DB70E968CF52
                                  Function 002CCCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 11367302b7bc937bba0d43a7093995b095bd4859d86559b62a442159e1377d86
                                  • Instruction ID: 7515da9f25fa85f8702334b8ac9335d5e5bf97a0ed3d62fdfb37a3c4050b4ea7
                                  • Opcode Fuzzy Hash: 11367302b7bc937bba0d43a7093995b095bd4859d86559b62a442159e1377d86
                                  • Instruction Fuzzy Hash: C841C839920245AFC724DF68DC48FA9BF68EB09310F25036DF95EA72D1C770AD61DA90
                                  Function 002B1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002B12B4
                                  • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 002B12DD
                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 002B131C
                                    • Part of subcall function 0026936C: __swprintf.LIBCMT ref: 002693AB
                                    • Part of subcall function 0026936C: __itow.LIBCMT ref: 002693DF
                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 002B1341
                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 002B1349
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                  • String ID:
                                  • API String ID: 1389676194-0
                                  • Opcode ID: 4685cb45865cc20ec7f8cc19c38cc2c2faa2b8f6bdeaedf83ac98d30c48d7a89
                                  • Instruction ID: 66348e042946189f739681e0bf9dec798bd0416a0f1feaa35aca672f8c51681b
                                  • Opcode Fuzzy Hash: 4685cb45865cc20ec7f8cc19c38cc2c2faa2b8f6bdeaedf83ac98d30c48d7a89
                                  • Instruction Fuzzy Hash: 8F41E735A10105DFDF01EF64C995AAEBBF9EF08314B148099E90AAB362DB31ED61DF50
                                  Function 0027B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCursorPos.USER32(000000FF), ref: 0027B64F
                                  • ScreenToClient.USER32(00000000,000000FF), ref: 0027B66C
                                  • GetAsyncKeyState.USER32(00000001), ref: 0027B691
                                  • GetAsyncKeyState.USER32(00000002), ref: 0027B69F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AsyncState$ClientCursorScreen
                                  • String ID:
                                  • API String ID: 4210589936-0
                                  • Opcode ID: dc8dc45fc4607a0b95543662f698ffb9b36586baafa7850a052ee87706764755
                                  • Instruction ID: 3d7ef91d45a40f7a3cf6300caa30887c7b2f5cba2d76393bcd059b313a2bf28c
                                  • Opcode Fuzzy Hash: dc8dc45fc4607a0b95543662f698ffb9b36586baafa7850a052ee87706764755
                                  • Instruction Fuzzy Hash: 6D417F35524516FFCF169F64C844BE9BBB8FB05324F20831AF82996290CB30ADA4DF91
                                  Function 0029B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowRect.USER32(?,?), ref: 0029B369
                                  • PostMessageW.USER32(?,00000201,00000001), ref: 0029B413
                                  • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0029B41B
                                  • PostMessageW.USER32(?,00000202,00000000), ref: 0029B429
                                  • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0029B431
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessagePostSleep$RectWindow
                                  • String ID:
                                  • API String ID: 3382505437-0
                                  • Opcode ID: 44f698ce3b84760b9321028a07ae8503d015db81cb4f08a31e3027f4c31d595f
                                  • Instruction ID: 7e57f3906820f3b3c6a45e451639675b299b5ed25f9f52ef8d0de9f0bb095b07
                                  • Opcode Fuzzy Hash: 44f698ce3b84760b9321028a07ae8503d015db81cb4f08a31e3027f4c31d595f
                                  • Instruction Fuzzy Hash: 4931DF7191025AEBDF04CFA8EE8DA9E3BB5EB04315F104269F825AB1D1C3B09924DB90
                                  Function 0029DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • IsWindowVisible.USER32(?), ref: 0029DBD7
                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0029DBF4
                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0029DC2C
                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0029DC52
                                  • _wcsstr.LIBCMT ref: 0029DC5C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                  • String ID:
                                  • API String ID: 3902887630-0
                                  • Opcode ID: 0e135ed2000b438298823d3e48237934166ac5768b60694668a1db64d349eff9
                                  • Instruction ID: 1716e0d4bd9f80b1264618e73083faa6fe9cbf88aa600da02c11c6dcf554c250
                                  • Opcode Fuzzy Hash: 0e135ed2000b438298823d3e48237934166ac5768b60694668a1db64d349eff9
                                  • Instruction Fuzzy Hash: 06210772224140BBEF159F39ED49E7B7BACDF45750F10802AF809CA191EAA1DC11E6A0
                                  Function 0029BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0029BC90
                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0029BCC2
                                  • __itow.LIBCMT ref: 0029BCDA
                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0029BD00
                                  • __itow.LIBCMT ref: 0029BD11
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend$__itow
                                  • String ID:
                                  • API String ID: 3379773720-0
                                  • Opcode ID: 4fd69c3cf67d0021d13a61c39638ebcd085f05607a4b05ce189c3d84ade4dade
                                  • Instruction ID: f7e88a1aef5a2dfa07cd74c336284c92ad639b6e456cdaad37573cf05976f624
                                  • Opcode Fuzzy Hash: 4fd69c3cf67d0021d13a61c39638ebcd085f05607a4b05ce189c3d84ade4dade
                                  • Instruction Fuzzy Hash: DB21C9356102187BDF11AE65AD89FDE7A6DAF49710F100025F909EB1C1DB608D6587F1
                                  Function 002A6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002650E6: _wcsncpy.LIBCMT ref: 002650FA
                                  • GetFileAttributesW.KERNEL32(?,?,?,?,002A60C3), ref: 002A6369
                                  • GetLastError.KERNEL32(?,?,?,002A60C3), ref: 002A6374
                                  • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,002A60C3), ref: 002A6388
                                  • _wcsrchr.LIBCMT ref: 002A63AA
                                    • Part of subcall function 002A6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,002A60C3), ref: 002A63E0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                  • String ID:
                                  • API String ID: 3633006590-0
                                  • Opcode ID: be8ba95e146d54941de915fa2ee1a026ca6a79706ee7d7e0dc3dd0f175bcb7d0
                                  • Instruction ID: 01916c20b36dbee01b47e2bf332ca2943c835c3bbb04c69ab1c8503ee73a0777
                                  • Opcode Fuzzy Hash: be8ba95e146d54941de915fa2ee1a026ca6a79706ee7d7e0dc3dd0f175bcb7d0
                                  • Instruction Fuzzy Hash: B8213B315352164BDF14AF74AC4AFEA239CAF07B60F1440E6F505C70C0EFA0D9A64E51
                                  Function 002B8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002BA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 002BA84E
                                  • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 002B8BD3
                                  • WSAGetLastError.WSOCK32(00000000), ref: 002B8BE2
                                  • connect.WSOCK32(00000000,?,00000010), ref: 002B8BFE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ErrorLastconnectinet_addrsocket
                                  • String ID:
                                  • API String ID: 3701255441-0
                                  • Opcode ID: aad62b6d1aa941a99ccea081fc8c257023e6bd6f3717749cf27308cf3eca98d7
                                  • Instruction ID: 8e177d1408fe74fcb6a8ec9776b0d81d8f32d1cb3062d15dc01b9fc1d8f2ea56
                                  • Opcode Fuzzy Hash: aad62b6d1aa941a99ccea081fc8c257023e6bd6f3717749cf27308cf3eca98d7
                                  • Instruction Fuzzy Hash: 9621C0712502159FDB14AF28DD89BBEB7ADEF48750F04844AF90AEB392CF70AC518B51
                                  Function 002B8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsWindow.USER32(00000000), ref: 002B8441
                                  • GetForegroundWindow.USER32 ref: 002B8458
                                  • GetDC.USER32(00000000), ref: 002B8494
                                  • GetPixel.GDI32(00000000,?,00000003), ref: 002B84A0
                                  • ReleaseDC.USER32(00000000,00000003), ref: 002B84DB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$ForegroundPixelRelease
                                  • String ID:
                                  • API String ID: 4156661090-0
                                  • Opcode ID: dc84258afe2ad0f1ff3823ad2ab7a4d2fa22e13bb9ecfdc3f65d0c55d425efdb
                                  • Instruction ID: e0964c8c8dd1727b32cd21cff13147ca28c89bcf8153a9e225f43cdbe6e07496
                                  • Opcode Fuzzy Hash: dc84258afe2ad0f1ff3823ad2ab7a4d2fa22e13bb9ecfdc3f65d0c55d425efdb
                                  • Instruction Fuzzy Hash: 4F218475A10204AFD710DFA4D989A9EB7F9EF48341F048479E8599B252DB70AC54CB60
                                  Function 0027AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                  Download Yara Rule
                                  APIs
                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0027AFE3
                                  • SelectObject.GDI32(?,00000000), ref: 0027AFF2
                                  • BeginPath.GDI32(?), ref: 0027B009
                                  • SelectObject.GDI32(?,00000000), ref: 0027B033
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ObjectSelect$BeginCreatePath
                                  • String ID:
                                  • API String ID: 3225163088-0
                                  • Opcode ID: 0c8ae82f07894f7b259ba527dc94e1cfdb4f58cd3fb61f9e1ffd8b5f7d5ddb86
                                  • Instruction ID: c3ff5e9547f78f16bce0bcedcb3c1555ff65e1bf7824cca3351d3c4498757c9e
                                  • Opcode Fuzzy Hash: 0c8ae82f07894f7b259ba527dc94e1cfdb4f58cd3fb61f9e1ffd8b5f7d5ddb86
                                  • Instruction Fuzzy Hash: 5D217470810349EFDB32DF55ED48BAE7B6DB720365F14821EE829A61A0D3714866CF91
                                  Function 0028217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __calloc_crt.LIBCMT ref: 002821A9
                                  • CreateThread.KERNEL32(?,?,002822DF,00000000,?,?), ref: 002821ED
                                  • GetLastError.KERNEL32 ref: 002821F7
                                  • _free.LIBCMT ref: 00282200
                                  • __dosmaperr.LIBCMT ref: 0028220B
                                    • Part of subcall function 00287C0E: __getptd_noexit.LIBCMT ref: 00287C0E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                  • String ID:
                                  • API String ID: 2664167353-0
                                  • Opcode ID: 7eca309ec74870d1629192ddd018659f5f12c5fee7c6c2e618ff7c7f6a87a6de
                                  • Instruction ID: 6dcaa460ee1282e9a3d923c83d6cd854dfe375eda6b97b6cab935ece3afbec8e
                                  • Opcode Fuzzy Hash: 7eca309ec74870d1629192ddd018659f5f12c5fee7c6c2e618ff7c7f6a87a6de
                                  • Instruction Fuzzy Hash: BF11E53A126346EF9B11BF64DC45D5B7798EF05760B200029FD28861D6DB71D8318BA1
                                  Function 0029ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0029ABD7
                                  • GetLastError.KERNEL32(?,0029A69F,?,?,?), ref: 0029ABE1
                                  • GetProcessHeap.KERNEL32(00000008,?,?,0029A69F,?,?,?), ref: 0029ABF0
                                  • HeapAlloc.KERNEL32(00000000,?,0029A69F,?,?,?), ref: 0029ABF7
                                  • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0029AC0E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                  • String ID:
                                  • API String ID: 842720411-0
                                  • Opcode ID: da6e4fd0faed30528e5775f7a081529b303a6d1db0a4c54bc0f974d0e9934acd
                                  • Instruction ID: 827da643317847c86044f0a948621494f34f197a30ec74ca130745986ec00b28
                                  • Opcode Fuzzy Hash: da6e4fd0faed30528e5775f7a081529b303a6d1db0a4c54bc0f974d0e9934acd
                                  • Instruction Fuzzy Hash: 63016970250245BFDF104FA9EC8CDAB3BACEF8A354710042AF809CB260DA718C50CBA0
                                  Function 002A7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 002A7A74
                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 002A7A82
                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002A7A8A
                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 002A7A94
                                  • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 002A7AD0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                  • String ID:
                                  • API String ID: 2833360925-0
                                  • Opcode ID: 279e2af160e17281d0a97913c3f7b9877ea4b94d59eb731b1ab011748da91d6c
                                  • Instruction ID: 976e809299ce838e6875405a7291422aedae5eedb21bcdba48f5dd081c91d86d
                                  • Opcode Fuzzy Hash: 279e2af160e17281d0a97913c3f7b9877ea4b94d59eb731b1ab011748da91d6c
                                  • Instruction Fuzzy Hash: C5014C31D14619EBDF00AFE4EC9DADEBB78FF09711F000455E502B6252DF30966087A5
                                  Function 00299ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CLSIDFromProgID.OLE32 ref: 00299ADC
                                  • ProgIDFromCLSID.OLE32(?,00000000), ref: 00299AF7
                                  • lstrcmpiW.KERNEL32(?,00000000), ref: 00299B05
                                  • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00299B15
                                  • CLSIDFromString.OLE32(?,?), ref: 00299B21
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                  • String ID:
                                  • API String ID: 3897988419-0
                                  • Opcode ID: f3e29e2d90809a9516826005db37f62223c6b70b6b0d25c6585b86caccebe5c2
                                  • Instruction ID: e1e9350abf60edc8545b44e31e4a166b4342a38aa576a7497184054dd22ec12a
                                  • Opcode Fuzzy Hash: f3e29e2d90809a9516826005db37f62223c6b70b6b0d25c6585b86caccebe5c2
                                  • Instruction Fuzzy Hash: AB018F76610215BFDB108F58EC88B9E7BEDEF44366F144028F909D6210D774DD919BB0
                                  Function 0029AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0029AA79
                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0029AA83
                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0029AA92
                                  • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0029AA99
                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0029AAAF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                  • String ID:
                                  • API String ID: 44706859-0
                                  • Opcode ID: 7cdc830ee3ad8154148ef794a75e67ba9e02caf1981ded8f37e778135e72c869
                                  • Instruction ID: 7ac0f5d6dcec2d1af9119e9b6e5f42bd3ab9f824873ab5c9d647d9618065a2e6
                                  • Opcode Fuzzy Hash: 7cdc830ee3ad8154148ef794a75e67ba9e02caf1981ded8f37e778135e72c869
                                  • Instruction Fuzzy Hash: 83F0A935281305AFEB101FA4EC8CEAB3BBCFF4A754F00002DF905CB1A0DA609C11CAA1
                                  Function 0029AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0029AADA
                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0029AAE4
                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0029AAF3
                                  • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0029AAFA
                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0029AB10
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                  • String ID:
                                  • API String ID: 44706859-0
                                  • Opcode ID: a2ed07b3336cb44160f7d0b1e92df3d54263a5152962f44006c9a7f62a0fcda1
                                  • Instruction ID: 0a5983b07fccbe6200101dfc97648f3904cd42b2bd3991a1b190edbb02a5b78a
                                  • Opcode Fuzzy Hash: a2ed07b3336cb44160f7d0b1e92df3d54263a5152962f44006c9a7f62a0fcda1
                                  • Instruction Fuzzy Hash: AEF04F752503496FEB111FA4FCD8E673B6DFF45758F000029F945CB190CA6099118AA1
                                  Function 0029EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,000003E9), ref: 0029EC94
                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 0029ECAB
                                  • MessageBeep.USER32(00000000), ref: 0029ECC3
                                  • KillTimer.USER32(?,0000040A), ref: 0029ECDF
                                  • EndDialog.USER32(?,00000001), ref: 0029ECF9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                  • String ID:
                                  • API String ID: 3741023627-0
                                  • Opcode ID: 78a5d2acedcbe2e43bc8983b6331e3c178519306dd5078c59f45562f3c9fe3b4
                                  • Instruction ID: 796602f1d31910bf5afe040d7ea63dfff19be778c76e7a55da0b7820a9ecbb58
                                  • Opcode Fuzzy Hash: 78a5d2acedcbe2e43bc8983b6331e3c178519306dd5078c59f45562f3c9fe3b4
                                  • Instruction Fuzzy Hash: 4C018130550745ABEF349F50EE8EB9677B8FB00705F01095AB582A54E0DBF0AA94CB40
                                  Function 0027B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                  Download Yara Rule
                                  APIs
                                  • EndPath.GDI32(?), ref: 0027B0BA
                                  • StrokeAndFillPath.GDI32(?,?,002DE680,00000000,?,?,?), ref: 0027B0D6
                                  • SelectObject.GDI32(?,00000000), ref: 0027B0E9
                                  • DeleteObject.GDI32 ref: 0027B0FC
                                  • StrokePath.GDI32(?), ref: 0027B117
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                  • String ID:
                                  • API String ID: 2625713937-0
                                  • Opcode ID: e0bb61c868ab605a9f91b6fb899fc99828be566dc03785d2e077f700127a6b4b
                                  • Instruction ID: b52c9f1882a17a7b322369f2e7e0a971c181b253e9a23d4a1c1d7150c373dbce
                                  • Opcode Fuzzy Hash: e0bb61c868ab605a9f91b6fb899fc99828be566dc03785d2e077f700127a6b4b
                                  • Instruction Fuzzy Hash: 1FF0C930050249EFDB339F65EE4DB993B69A721362F588319E82D590F0C7318966DF90
                                  Function 002AF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitialize.OLE32(00000000), ref: 002AF2DA
                                  • CoCreateInstance.OLE32(002EDA7C,00000000,00000001,002ED8EC,?), ref: 002AF2F2
                                  • CoUninitialize.OLE32 ref: 002AF555
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CreateInitializeInstanceUninitialize
                                  • String ID: .lnk
                                  • API String ID: 948891078-24824748
                                  • Opcode ID: 3f2b6bdafba22b815d017cbaa41af8995758a65283f075e554600d743d8b1c74
                                  • Instruction ID: b27d2fced23fa92bd1e5e833680926ca4269a9f1fb47c0646a80592cf8bc7c87
                                  • Opcode Fuzzy Hash: 3f2b6bdafba22b815d017cbaa41af8995758a65283f075e554600d743d8b1c74
                                  • Instruction Fuzzy Hash: 5CA15B71114201AFD300EF64C881EABB7ECEF99714F10491DF19997292EB70EA59CB92
                                  Function 002AE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0026660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002653B1,?,?,002661FF,?,00000000,00000001,00000000), ref: 0026662F
                                  • CoInitialize.OLE32(00000000), ref: 002AE85D
                                  • CoCreateInstance.OLE32(002EDA7C,00000000,00000001,002ED8EC,?), ref: 002AE876
                                  • CoUninitialize.OLE32 ref: 002AE893
                                    • Part of subcall function 0026936C: __swprintf.LIBCMT ref: 002693AB
                                    • Part of subcall function 0026936C: __itow.LIBCMT ref: 002693DF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                  • String ID: .lnk
                                  • API String ID: 2126378814-24824748
                                  • Opcode ID: c2752d2786978ba62401bb3fe7d739e54347335393e1816a9693a7ef732211d5
                                  • Instruction ID: ce5bea8c3b2a4addf72dc06d3c317ee74c2494014c5a9da72fd5a3da845e0ce2
                                  • Opcode Fuzzy Hash: c2752d2786978ba62401bb3fe7d739e54347335393e1816a9693a7ef732211d5
                                  • Instruction Fuzzy Hash: 53A167356143029FCB14DF14C48491ABBE5FF89310F158988F9999B3A2CB31EC96CF91
                                  Function 0028325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                  Download Yara Rule
                                  APIs
                                  • __startOneArgErrorHandling.LIBCMT ref: 002832ED
                                    • Part of subcall function 0028E0D0: __87except.LIBCMT ref: 0028E10B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ErrorHandling__87except__start
                                  • String ID: pow
                                  • API String ID: 2905807303-2276729525
                                  • Opcode ID: 4ebfe6727157df35b5af9aa69b998373d0118300340512c0a883b2cfde488b27
                                  • Instruction ID: d28e5c787062b716059d2289fe0ddc7c8841d4f6142a3bac65fef24e09b0a090
                                  • Opcode Fuzzy Hash: 4ebfe6727157df35b5af9aa69b998373d0118300340512c0a883b2cfde488b27
                                  • Instruction Fuzzy Hash: 49515A79A3B20396DF15BF14C90537A2B94AB41B60F308D68F895821EDDF748DB8DB81
                                  Function 002A4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                  Download Yara Rule
                                  APIs
                                  • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,002FDC50,?,0000000F,0000000C,00000016,002FDC50,?), ref: 002A4645
                                    • Part of subcall function 0026936C: __swprintf.LIBCMT ref: 002693AB
                                    • Part of subcall function 0026936C: __itow.LIBCMT ref: 002693DF
                                  • CharUpperBuffW.USER32(?,?,00000000,?), ref: 002A46C5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: BuffCharUpper$__itow__swprintf
                                  • String ID: REMOVE$THIS
                                  • API String ID: 3797816924-776492005
                                  • Opcode ID: a79d14061cb33e98851b967e6c6fb072005d4a583cc6d2dc51944bedeae5f7d6
                                  • Instruction ID: 1ef8af9a0d8aaa3d5e79e23e5e2b527b4b34ad84f4f001ff092b99e3ed0a7617
                                  • Opcode Fuzzy Hash: a79d14061cb33e98851b967e6c6fb072005d4a583cc6d2dc51944bedeae5f7d6
                                  • Instruction Fuzzy Hash: EC418434A1024A9FCF01EF54C885AADB7B9FF8A304F148059E916AB252DFB4DDA5CF50
                                  Function 0029C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002A430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0029BC08,?,?,00000034,00000800,?,00000034), ref: 002A4335
                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0029C1D3
                                    • Part of subcall function 002A42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0029BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 002A4300
                                    • Part of subcall function 002A422F: GetWindowThreadProcessId.USER32(?,?), ref: 002A425A
                                    • Part of subcall function 002A422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0029BBCC,00000034,?,?,00001004,00000000,00000000), ref: 002A426A
                                    • Part of subcall function 002A422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0029BBCC,00000034,?,?,00001004,00000000,00000000), ref: 002A4280
                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0029C240
                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0029C28D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                  • String ID: @
                                  • API String ID: 4150878124-2766056989
                                  • Opcode ID: bb7f80c64bf64c4b935f534a7cc9ec2f5398ab540e61955692a6098445f665f0
                                  • Instruction ID: 80085e340b6aae46bd7360e1da5864ef185e4e8dfbbce2266d4f15d8b7acae2e
                                  • Opcode Fuzzy Hash: bb7f80c64bf64c4b935f534a7cc9ec2f5398ab540e61955692a6098445f665f0
                                  • Instruction Fuzzy Hash: 20413972900218AFDF10EFA4CD81AEEB7B8AF4A300F104095FA45B7181DA71AE95CF61
                                  Function 002CA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,002FDC00,00000000,?,?,?,?), ref: 002CA6D8
                                  • GetWindowLongW.USER32 ref: 002CA6F5
                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 002CA705
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$Long
                                  • String ID: SysTreeView32
                                  • API String ID: 847901565-1698111956
                                  • Opcode ID: 78e591433e19aa213f3e02f39841e51f82597f3b03d6039537b44d8106246c78
                                  • Instruction ID: 6197710d0323697a90dffdcaa4c73f13928936f681bc9edfa525229cd6555059
                                  • Opcode Fuzzy Hash: 78e591433e19aa213f3e02f39841e51f82597f3b03d6039537b44d8106246c78
                                  • Instruction Fuzzy Hash: CF318E3166020AAFDF118E38DC45FEA77A9FB49328F244729F975931E0C770A8609B50
                                  Function 002B5180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 002B5190
                                  • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 002B51C6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CrackInternet_memset
                                  • String ID: |$D+
                                  • API String ID: 1413715105-807613121
                                  • Opcode ID: b659b43630a10cab6bf8955a14e35f25b3fae6b5f6507890b6c12bef9d761399
                                  • Instruction ID: 6c5192d76823d0406b112b6489a0076e61f490dbb88b9dab098a9bc521149757
                                  • Opcode Fuzzy Hash: b659b43630a10cab6bf8955a14e35f25b3fae6b5f6507890b6c12bef9d761399
                                  • Instruction Fuzzy Hash: A6311971C21119ABCF01AFA4CC85AEEBFB9FF14740F104015EC15AA166DB71A966CFA0
                                  Function 002CA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002CA15E
                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002CA172
                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 002CA196
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window
                                  • String ID: SysMonthCal32
                                  • API String ID: 2326795674-1439706946
                                  • Opcode ID: b1b2cbecceb95312e36c89b3f5c5a6c402e74608a5089c398d05b55c6f4236fb
                                  • Instruction ID: 4fb161a42ac193f728749cfd2b63921342bc7f0fc700c3d6a19520185544c39c
                                  • Opcode Fuzzy Hash: b1b2cbecceb95312e36c89b3f5c5a6c402e74608a5089c398d05b55c6f4236fb
                                  • Instruction Fuzzy Hash: AC21D332560219ABDF118F94CC86FEA3B79EF48714F150218FE596B1D0D6B5AC61CBA0
                                  Function 002CA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 002CA941
                                  • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 002CA94F
                                  • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 002CA956
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend$DestroyWindow
                                  • String ID: msctls_updown32
                                  • API String ID: 4014797782-2298589950
                                  • Opcode ID: 00cccf3bcbf20a492196e6bbfdd79feb5ee7e622446670dadddd89f3ae582fa9
                                  • Instruction ID: 547e8f6d2e120403265ca5549f4fc6288bf510f84e4915e415743630ee54f27b
                                  • Opcode Fuzzy Hash: 00cccf3bcbf20a492196e6bbfdd79feb5ee7e622446670dadddd89f3ae582fa9
                                  • Instruction Fuzzy Hash: BF2195B561020AAFDB11DF54DC86E6B37ADEF5A368B05025DF9049B351CB30EC21CB61
                                  Function 002C99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002C9A30
                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002C9A40
                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 002C9A65
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend$MoveWindow
                                  • String ID: Listbox
                                  • API String ID: 3315199576-2633736733
                                  • Opcode ID: 4d80c9a581a71bb05ae985e6bac2858c5d997f70396dcae80acc447f460b3669
                                  • Instruction ID: bf2760b570cb5f87d9c1421d044d17051a68cd8e97ce746af39c682d1db5a30a
                                  • Opcode Fuzzy Hash: 4d80c9a581a71bb05ae985e6bac2858c5d997f70396dcae80acc447f460b3669
                                  • Instruction Fuzzy Hash: 47219532660119BFDF258F54DC89FBF3BAEEF89760F018229F9545B190C6719C618BA0
                                  Function 002CA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002CA46D
                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002CA482
                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 002CA48F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: msctls_trackbar32
                                  • API String ID: 3850602802-1010561917
                                  • Opcode ID: 763bca1dcdf51dfd3a094b36ee27585c3a24fb7e7cc6bea33b8c247dd0ca6a28
                                  • Instruction ID: 7dc99fcdd3197619006a26803e2a30b0790b845d07461d34c38bada215af2c8d
                                  • Opcode Fuzzy Hash: 763bca1dcdf51dfd3a094b36ee27585c3a24fb7e7cc6bea33b8c247dd0ca6a28
                                  • Instruction Fuzzy Hash: 9011E771250209BEEF255F64CC49FEB376DFF88768F01421CFA45A6091D2B1E821DB20
                                  Function 00282287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00282350,?), ref: 002822A1
                                  • GetProcAddress.KERNEL32(00000000), ref: 002822A8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: RoInitialize$combase.dll
                                  • API String ID: 2574300362-340411864
                                  • Opcode ID: aa868bedc21d767947313f66da62e27eeb74ecf60985afe8cb7e670756c61022
                                  • Instruction ID: 5455222db6a3c64e6873c0bc17d6fa4d008e1a2c61cbc0923cb75d64c779b8bb
                                  • Opcode Fuzzy Hash: aa868bedc21d767947313f66da62e27eeb74ecf60985afe8cb7e670756c61022
                                  • Instruction Fuzzy Hash: B4E04F78AE1341EBDB226F71ED8DB54366CB705702F404028F502D91E1CBB454A9DF04
                                  Function 0028235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00282276), ref: 00282376
                                  • GetProcAddress.KERNEL32(00000000), ref: 0028237D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: RoUninitialize$combase.dll
                                  • API String ID: 2574300362-2819208100
                                  • Opcode ID: 93fbbe1a047639f061d05546d7d34c6ab4f16748489959ab68348e2ec76326d6
                                  • Instruction ID: 2fc6cd2fb8dbd35f235da2ad6f2d6d73a2a54ae3f112e2c3237d4f5e2e30bb7b
                                  • Opcode Fuzzy Hash: 93fbbe1a047639f061d05546d7d34c6ab4f16748489959ab68348e2ec76326d6
                                  • Instruction Fuzzy Hash: 9AE0EC78596341EFDB366F61ED0EB043A6CB709702F114468F509E61F2CBB86439DB14
                                  Function 002DAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: LocalTime__swprintf
                                  • String ID: %.3d$WIN_XPe
                                  • API String ID: 2070861257-2409531811
                                  • Opcode ID: 0865819a740f5fba081238aed469762a5b158247402718e1161d396d85ae9984
                                  • Instruction ID: 4181d104decd88d074db964b7a6214882f5bce1fd9e3141fa7922d8290caf8ab
                                  • Opcode Fuzzy Hash: 0865819a740f5fba081238aed469762a5b158247402718e1161d396d85ae9984
                                  • Instruction Fuzzy Hash: AAE0C271834618DBCB009750CD04CFA737CAB08310F100093FA06A2200E3749FF4AB12
                                  Function 002C2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,002C21FB,?,002C23EF), ref: 002C2213
                                  • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 002C2225
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: GetProcessId$kernel32.dll
                                  • API String ID: 2574300362-399901964
                                  • Opcode ID: ecb7d3fed66764859f2f1fd2d39f4f94a765e77757e3b93bf6025ac00b31e167
                                  • Instruction ID: ab6695825d76b0f19d8f81579b131ae458efdfc7004c3129cc28703c3ff4e52a
                                  • Opcode Fuzzy Hash: ecb7d3fed66764859f2f1fd2d39f4f94a765e77757e3b93bf6025ac00b31e167
                                  • Instruction Fuzzy Hash: 1CD0A734450713DFC7264F30F84CB8276E5EB0D710B00442DEC45E6150DB70D8C48760
                                  Function 002642F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000000,002642EC,?,002642AA,?), ref: 00264304
                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00264316
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                  • API String ID: 2574300362-1355242751
                                  • Opcode ID: 88b690e07b5b7606158a230d4e1de1582264e1165e825a193fc9f18587046b53
                                  • Instruction ID: ee4971ef270d972e503079c1dd85a19c13765b5d308d3206b9c5176f19fe7f96
                                  • Opcode Fuzzy Hash: 88b690e07b5b7606158a230d4e1de1582264e1165e825a193fc9f18587046b53
                                  • Instruction Fuzzy Hash: 64D0A7304947139FC7255F20F84C68276E4EB0C301B10445DE485D7260D7B0C8D08710
                                  Function 0026434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll,002641BB,00264341,?,0026422F,?,002641BB,?,?,?,?,002639FE,?,00000001), ref: 00264359
                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0026436B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                  • API String ID: 2574300362-3689287502
                                  • Opcode ID: b4ef0705e6173bea244f8cb89c62dde6dd0a76682d2cdd6c845cbeca4b2a2128
                                  • Instruction ID: cdd1a3eebd5ed5ea5071b44512f91cb2482796309dc3e80aa30e0a4c0b10a53e
                                  • Opcode Fuzzy Hash: b4ef0705e6173bea244f8cb89c62dde6dd0a76682d2cdd6c845cbeca4b2a2128
                                  • Instruction Fuzzy Hash: C9D0A7304907139FC7255F30F84CA8276E4AB18715B10445DE4C5D6250D7B0D8D0C710
                                  Function 002A0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(oleaut32.dll,?,002A051D,?,002A05FE), ref: 002A0547
                                  • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 002A0559
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: RegisterTypeLibForUser$oleaut32.dll
                                  • API String ID: 2574300362-1071820185
                                  • Opcode ID: b9b9fe74b7cecabc462cb39e85f2581148a60e4de4615067f88c0f552b4d473d
                                  • Instruction ID: 91ab146eee9d78b027a9678cfcf566867e655003cc9438b5ca825e2251f79bd6
                                  • Opcode Fuzzy Hash: b9b9fe74b7cecabc462cb39e85f2581148a60e4de4615067f88c0f552b4d473d
                                  • Instruction Fuzzy Hash: 7FD0A7308907139FCB208F61F88C682B7E4BB05301F54C41DF44AD6150DA70C8D08B10
                                  Function 002A0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,002A052F,?,002A06D7), ref: 002A0572
                                  • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 002A0584
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                  • API String ID: 2574300362-1587604923
                                  • Opcode ID: d9c9a9207b6c4844921659088874a029a72a1b14c3a79476b53b3554278a0813
                                  • Instruction ID: 0308c446882e66a0c8fc4063cf0e6d14f6f3c134bd0bd89a8cc401ea7f0f18d9
                                  • Opcode Fuzzy Hash: d9c9a9207b6c4844921659088874a029a72a1b14c3a79476b53b3554278a0813
                                  • Instruction Fuzzy Hash: 30D052308907229BC7205F20A888B82BBE8AB09300F50842EE88996250EAB0C8D48F20
                                  Function 002BECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,002BECBE,?,002BEBBB), ref: 002BECD6
                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 002BECE8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                  • API String ID: 2574300362-1816364905
                                  • Opcode ID: 88371b417330462aa9fa3bba58fedc71d75f6ba2f3704618ed023d8562b9501f
                                  • Instruction ID: 7e89ac72a7c686d765a26e1c9587d057fea34dd98e497a61c79e68c392b147e1
                                  • Opcode Fuzzy Hash: 88371b417330462aa9fa3bba58fedc71d75f6ba2f3704618ed023d8562b9501f
                                  • Instruction Fuzzy Hash: 72D0A7304507239FCF255F61F88C6C27AE4AF08340B01841EF849D6150DF70C8C48750
                                  Function 002BBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000000,002BBAD3,00000001,002BB6EE,?,002FDC00), ref: 002BBAEB
                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 002BBAFD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: GetModuleHandleExW$kernel32.dll
                                  • API String ID: 2574300362-199464113
                                  • Opcode ID: 0813dd77a3720b2b42e53147f4e32e9aecab20d5c2dc7d3122630c8a699f6bc0
                                  • Instruction ID: 66e9b26e935d06a0bd9cc77913125929d28e1ca92fbdf80f8977c1a69d259edb
                                  • Opcode Fuzzy Hash: 0813dd77a3720b2b42e53147f4e32e9aecab20d5c2dc7d3122630c8a699f6bc0
                                  • Instruction Fuzzy Hash: B7D05E748507139EC7365F21B888AD276E4AB08344B00441DE84796150D7B0C880C610
                                  Function 002C3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,002C3BD1,?,002C3E06), ref: 002C3BE9
                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002C3BFB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                  • API String ID: 2574300362-4033151799
                                  • Opcode ID: 01ab3fd9ce6dd1ebdda3d1369ea321e0eb352f2919e6eda416407ca255f7178a
                                  • Instruction ID: d3cc79ce552f602d66dee87db8279b02dd6192dd33f342672bf26fb1bf0e4c0a
                                  • Opcode Fuzzy Hash: 01ab3fd9ce6dd1ebdda3d1369ea321e0eb352f2919e6eda416407ca255f7178a
                                  • Instruction Fuzzy Hash: 1AD0A7705507539FC7209F60F84CB87BAF4AB05318B10881EE449E6150D6B4C5C08F50
                                  Function 00299B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 87655c8b91b982dbfaaf5c9d3b169ba88db2ccd3f11c75ad9296d1af1b5826e2
                                  • Instruction ID: f4ab5440cb3d4e83c1833ed6e6362e87ed913871f47232a5266d9245117d8a00
                                  • Opcode Fuzzy Hash: 87655c8b91b982dbfaaf5c9d3b169ba88db2ccd3f11c75ad9296d1af1b5826e2
                                  • Instruction Fuzzy Hash: FFC17D75A2021AEFDF14DF98C884AAEB7B5FF48720F10459DE805AB251D770DE91CBA0
                                  Function 002BAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitialize.OLE32(00000000), ref: 002BAAB4
                                  • CoUninitialize.OLE32 ref: 002BAABF
                                    • Part of subcall function 002A0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002A027B
                                  • VariantInit.OLEAUT32(?), ref: 002BAACA
                                  • VariantClear.OLEAUT32(?), ref: 002BAD9D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                  • String ID:
                                  • API String ID: 780911581-0
                                  • Opcode ID: 87a972ab79ff4a791dc329cb265d16824eef0364a46ac6ac59f0dfa657cb8d3c
                                  • Instruction ID: e0ccadcf1ba113f54191b306c0063b916b15e03219e97b629f747db4e2fbee59
                                  • Opcode Fuzzy Hash: 87a972ab79ff4a791dc329cb265d16824eef0364a46ac6ac59f0dfa657cb8d3c
                                  • Instruction Fuzzy Hash: 90A14A352247029FDB10DF14C491B5AB7E4BF98750F148449FA9A9B3A2CB70EDA4CF86
                                  Function 002991CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Variant$AllocClearCopyInitString
                                  • String ID:
                                  • API String ID: 2808897238-0
                                  • Opcode ID: e4005b064959b7597888461ae5370afc3daa3266403d962f75f0e685c3841511
                                  • Instruction ID: 40acebcd0d137071716902a884ea96eca1481f1f53a4a399d50ded4236b36817
                                  • Opcode Fuzzy Hash: e4005b064959b7597888461ae5370afc3daa3266403d962f75f0e685c3841511
                                  • Instruction Fuzzy Hash: A35184306343069BDF249F6DD49572EB3A9AF55320B20C86FE54ACB2D1DB7098E08B05
                                  Function 002CC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowRect.USER32(01157AF0,?), ref: 002CC544
                                  • ScreenToClient.USER32(?,00000002), ref: 002CC574
                                  • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 002CC5DA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$ClientMoveRectScreen
                                  • String ID:
                                  • API String ID: 3880355969-0
                                  • Opcode ID: 28febc90d0891d77fe97cd1c2adf5a4664b61d9ebdaf1d90a0bcce802c9286e7
                                  • Instruction ID: ae0d1a1a80db2e40c34003f47e4590854b7d0dd19d6a86495dc5756ab1e38179
                                  • Opcode Fuzzy Hash: 28febc90d0891d77fe97cd1c2adf5a4664b61d9ebdaf1d90a0bcce802c9286e7
                                  • Instruction Fuzzy Hash: 7F516175910109EFCF20DF68D980EAE77B9EB55360F24825DF9299B290D730ED51CB90
                                  Function 0029C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0029C462
                                  • __itow.LIBCMT ref: 0029C49C
                                    • Part of subcall function 0029C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0029C753
                                  • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0029C505
                                  • __itow.LIBCMT ref: 0029C55A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend$__itow
                                  • String ID:
                                  • API String ID: 3379773720-0
                                  • Opcode ID: d82a0a06e86d6107658c6a7679ce85401dcc47b1a17105aa648adb02cdec230a
                                  • Instruction ID: ca94b496ab5978571cd60ac791daa8652461c4dde88f4dfbcacd14db7320bd9a
                                  • Opcode Fuzzy Hash: d82a0a06e86d6107658c6a7679ce85401dcc47b1a17105aa648adb02cdec230a
                                  • Instruction Fuzzy Hash: CC41E671A10209AFDF25EF54C851FEE7BB9AF49700F100059F905B7281DB749AA5CFA1
                                  Function 002A390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 002A3966
                                  • SetKeyboardState.USER32(00000080,?,00000001), ref: 002A3982
                                  • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 002A39EF
                                  • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 002A3A4D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: KeyboardState$InputMessagePostSend
                                  • String ID:
                                  • API String ID: 432972143-0
                                  • Opcode ID: 70fdcc55817e64e2c10dab69efb1223f13cc75363fed1ff5bb0124402f9a4df1
                                  • Instruction ID: 8fc919cc4fcbf88fc382a62af1d17890b5283681632d512cb1170c13d73a5fdd
                                  • Opcode Fuzzy Hash: 70fdcc55817e64e2c10dab69efb1223f13cc75363fed1ff5bb0124402f9a4df1
                                  • Instruction Fuzzy Hash: A3413B30A64259AFEF20CF6498097FEBBB59B47310F04010AF4C1961C1CFB59EA5DB61
                                  Function 002AE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 002AE742
                                  • GetLastError.KERNEL32(?,00000000), ref: 002AE768
                                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002AE78D
                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002AE7B9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                  • String ID:
                                  • API String ID: 3321077145-0
                                  • Opcode ID: 991441868d7046f6d442facf931af1be1a1135a0266a3bbb8269d3a14eaa1e8a
                                  • Instruction ID: e2570871aceebb0c62d158d8acb80b0ed6edb0207aa80d38ad0ed410fa786ec6
                                  • Opcode Fuzzy Hash: 991441868d7046f6d442facf931af1be1a1135a0266a3bbb8269d3a14eaa1e8a
                                  • Instruction Fuzzy Hash: 52412539610611DFCF11AF15C484A4DBBE5BF5A710B198488E906AB3A2CB34FCA18F91
                                  Function 002CB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                  Download Yara Rule
                                  APIs
                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002CB5D1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: InvalidateRect
                                  • String ID:
                                  • API String ID: 634782764-0
                                  • Opcode ID: e3458dc1e322751d91a24f6a76ff4e327cd2016f7bf41eb1d623ae2ffc0f077a
                                  • Instruction ID: 24b804bfee68c58d451d53b8d5cc83fd23b63dff15e35d042c90b1011f536502
                                  • Opcode Fuzzy Hash: e3458dc1e322751d91a24f6a76ff4e327cd2016f7bf41eb1d623ae2ffc0f077a
                                  • Instruction Fuzzy Hash: D831E434621109FFEF228F28DC8AFAC7769EB05350FA04319FA11D62E1C770A9608B51
                                  Function 002CD7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ClientToScreen.USER32(?,?), ref: 002CD807
                                  • GetWindowRect.USER32(?,?), ref: 002CD87D
                                  • PtInRect.USER32(?,?,002CED5A), ref: 002CD88D
                                  • MessageBeep.USER32(00000000), ref: 002CD8FE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Rect$BeepClientMessageScreenWindow
                                  • String ID:
                                  • API String ID: 1352109105-0
                                  • Opcode ID: 07375125182a9a1a4851fa4261b7edad9742a0932f10f59050db910afd816db4
                                  • Instruction ID: 5a37b3d2bb0e07e8f31bf9df28cf30b16783be2abbf33eb63f7eebc8271d45c1
                                  • Opcode Fuzzy Hash: 07375125182a9a1a4851fa4261b7edad9742a0932f10f59050db910afd816db4
                                  • Instruction Fuzzy Hash: 04417B74A10219DFCB22DF58D884FA9BBB5FB88310F1883BDE8159B260D330E956CB40
                                  Function 002A3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 002A3AB8
                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 002A3AD4
                                  • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 002A3B34
                                  • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 002A3B92
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: KeyboardState$InputMessagePostSend
                                  • String ID:
                                  • API String ID: 432972143-0
                                  • Opcode ID: cfce75a0c9bb46b8a6ef5e632a06d8084c7f564c59781cc49de731171d691422
                                  • Instruction ID: 27f41d7aa201739ba4230bc2e6bedf4b85e2c7cfd84d25132a224a0588e59639
                                  • Opcode Fuzzy Hash: cfce75a0c9bb46b8a6ef5e632a06d8084c7f564c59781cc49de731171d691422
                                  • Instruction Fuzzy Hash: 69312430920258AFEB24CB6488197BE7BA6AB47318F04095AF481961D1CF748FA5DB71
                                  Function 00294004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00294038
                                  • __isleadbyte_l.LIBCMT ref: 00294066
                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00294094
                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 002940CA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                  • String ID:
                                  • API String ID: 3058430110-0
                                  • Opcode ID: 07fd1aec8af4fee4af667854781d5b746d0bc7d53b78c4adfb4a5b3e3d07bd2c
                                  • Instruction ID: 2568e32338aec65d9371108ef66097f84d8d040026b0e5c03bcae08fe15fe90f
                                  • Opcode Fuzzy Hash: 07fd1aec8af4fee4af667854781d5b746d0bc7d53b78c4adfb4a5b3e3d07bd2c
                                  • Instruction Fuzzy Hash: 1431B231620246AFDF25AF75C844FBA7BA5BF41310F154429EA658B1E0E731D8B2DB90
                                  Function 002C7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32 ref: 002C7CB9
                                    • Part of subcall function 002A5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 002A5F6F
                                    • Part of subcall function 002A5F55: GetCurrentThreadId.KERNEL32 ref: 002A5F76
                                    • Part of subcall function 002A5F55: AttachThreadInput.USER32(00000000,?,002A781F), ref: 002A5F7D
                                  • GetCaretPos.USER32(?), ref: 002C7CCA
                                  • ClientToScreen.USER32(00000000,?), ref: 002C7D03
                                  • GetForegroundWindow.USER32 ref: 002C7D09
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                  • String ID:
                                  • API String ID: 2759813231-0
                                  • Opcode ID: 65bc6e203407f36ca7db4ac9ffd0f828a270cf545dd0015cff22c5b9fead501f
                                  • Instruction ID: e3cd9526f0ab810cbe312524a43d84638de029e4de0ec05355e69e45427ba29a
                                  • Opcode Fuzzy Hash: 65bc6e203407f36ca7db4ac9ffd0f828a270cf545dd0015cff22c5b9fead501f
                                  • Instruction Fuzzy Hash: 57314F72910108AFDB11EFB5D8859EFFBFDEF54310B10846AE819E7211DA319E158FA0
                                  Function 002CF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027B34E: GetWindowLongW.USER32(?,000000EB), ref: 0027B35F
                                  • GetCursorPos.USER32(?), ref: 002CF211
                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,002DE4C0,?,?,?,?,?), ref: 002CF226
                                  • GetCursorPos.USER32(?), ref: 002CF270
                                  • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,002DE4C0,?,?,?), ref: 002CF2A6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Cursor$LongMenuPopupProcTrackWindow
                                  • String ID:
                                  • API String ID: 2864067406-0
                                  • Opcode ID: f7e53583731f3f6300ace6ba9bb0b2e2cea0b9830cbd3564671cb3a335e0c1bc
                                  • Instruction ID: 7dc82b39e5734f9ab9c78768bf355e2a300d516164a317527d7251778602be2a
                                  • Opcode Fuzzy Hash: f7e53583731f3f6300ace6ba9bb0b2e2cea0b9830cbd3564671cb3a335e0c1bc
                                  • Instruction Fuzzy Hash: 95219139510018EFCB268F94D998EFE7BBAEF09720F448169FD054B2A1D3309E61DB51
                                  Function 002B431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002B4358
                                    • Part of subcall function 002B43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002B4401
                                    • Part of subcall function 002B43E2: InternetCloseHandle.WININET(00000000), ref: 002B449E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Internet$CloseConnectHandleOpen
                                  • String ID:
                                  • API String ID: 1463438336-0
                                  • Opcode ID: 69b5398c8e3b0aab9d06824bee1bb9cd8d9e240f9763966b1375b985f1f978e6
                                  • Instruction ID: 6bf7c88d9fb8f61a8a18809d90b37716ac056de2ad6461a27c1b8cce090ac968
                                  • Opcode Fuzzy Hash: 69b5398c8e3b0aab9d06824bee1bb9cd8d9e240f9763966b1375b985f1f978e6
                                  • Instruction Fuzzy Hash: 4A21C235250701BBDB11AF609C80FFBB7E9FF48750F28401ABA159A552D771D8709B90
                                  Function 002C8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowLongW.USER32(?,000000EC), ref: 002C8AA6
                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 002C8AC0
                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 002C8ACE
                                  • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 002C8ADC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$Long$AttributesLayered
                                  • String ID:
                                  • API String ID: 2169480361-0
                                  • Opcode ID: 8558768f9b09825bd158fa96fcbe552909817150b95a8078f7c6235a653af7f6
                                  • Instruction ID: 2d3b574146da43a9dbfdce6f25c186fcc5ecfa056419aa023a223762b5f0a208
                                  • Opcode Fuzzy Hash: 8558768f9b09825bd158fa96fcbe552909817150b95a8078f7c6235a653af7f6
                                  • Instruction Fuzzy Hash: 0F11B131365515AFD704AB14DC45FBA7799BF85320F14821AF916CB2E2CBB0AC608B90
                                  Function 002B8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 002B8AE0
                                  • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 002B8AF2
                                  • accept.WSOCK32(00000000,00000000,00000000), ref: 002B8AFF
                                  • WSAGetLastError.WSOCK32(00000000), ref: 002B8B16
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ErrorLastacceptselect
                                  • String ID:
                                  • API String ID: 385091864-0
                                  • Opcode ID: 05e76e83e85f1da4316e36a38b516fee3fc91047f8a5168d7e56499f84cce08e
                                  • Instruction ID: 0925c17944f20f9cdd3230c33c163b30f6b9943490e34cab1aba034190962a36
                                  • Opcode Fuzzy Hash: 05e76e83e85f1da4316e36a38b516fee3fc91047f8a5168d7e56499f84cce08e
                                  • Instruction Fuzzy Hash: 9721C671A001249FC7219F68D884ADEBBECEF4A350F00816AF849DB290DB74D980CF90
                                  Function 002A0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002A1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,002A0ABB,?,?,?,002A187A,00000000,000000EF,00000119,?,?), ref: 002A1E77
                                    • Part of subcall function 002A1E68: lstrcpyW.KERNEL32(00000000,?,?,002A0ABB,?,?,?,002A187A,00000000,000000EF,00000119,?,?,00000000), ref: 002A1E9D
                                    • Part of subcall function 002A1E68: lstrcmpiW.KERNEL32(00000000,?,002A0ABB,?,?,?,002A187A,00000000,000000EF,00000119,?,?), ref: 002A1ECE
                                  • lstrlenW.KERNEL32(?,00000002,?,?,?,?,002A187A,00000000,000000EF,00000119,?,?,00000000), ref: 002A0AD4
                                  • lstrcpyW.KERNEL32(00000000,?,?,002A187A,00000000,000000EF,00000119,?,?,00000000), ref: 002A0AFA
                                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,002A187A,00000000,000000EF,00000119,?,?,00000000), ref: 002A0B2E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: lstrcmpilstrcpylstrlen
                                  • String ID: cdecl
                                  • API String ID: 4031866154-3896280584
                                  • Opcode ID: bef3eb0204991492b2b1d3136e947d9ba5b7dda2d6a7350e72dc419400ec498e
                                  • Instruction ID: b7a8adf1a5fab39a0fcf9e20c8c887cd009caab5415c96300f01baeb3cc3a30c
                                  • Opcode Fuzzy Hash: bef3eb0204991492b2b1d3136e947d9ba5b7dda2d6a7350e72dc419400ec498e
                                  • Instruction Fuzzy Hash: 8111D636110345AFDB259F24DD85D7A77A8FF4A314F80446AE80ACB250EF719860C7A1
                                  Function 00292F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00292FB5
                                    • Part of subcall function 0028395C: __FF_MSGBANNER.LIBCMT ref: 00283973
                                    • Part of subcall function 0028395C: __NMSG_WRITE.LIBCMT ref: 0028397A
                                    • Part of subcall function 0028395C: RtlAllocateHeap.NTDLL(01130000,00000000,00000001,00000001,00000000,?,?,0027F507,?,0000000E), ref: 0028399F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: AllocateHeap_free
                                  • String ID:
                                  • API String ID: 614378929-0
                                  • Opcode ID: 0613173d2bc52a5a07666cf273b1eda5a12fcce7701140bb5f5a9a436328d0b1
                                  • Instruction ID: 730b449a179fc9f7ff867abbca29dcec33b7f072efc58739757af18f974489e7
                                  • Opcode Fuzzy Hash: 0613173d2bc52a5a07666cf273b1eda5a12fcce7701140bb5f5a9a436328d0b1
                                  • Instruction Fuzzy Hash: E911C63657A212EBDF317F70AC4566A3B98AF14360F20492AF8499A1E1DB70C970DF90
                                  Function 002A058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 002A05AC
                                  • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 002A05C7
                                  • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002A05DD
                                  • FreeLibrary.KERNEL32(?), ref: 002A0632
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                  • String ID:
                                  • API String ID: 3137044355-0
                                  • Opcode ID: bed30822d8b412ec699a3b9a35cd41ac24356ddcd856042d6b74b170edad765c
                                  • Instruction ID: a56e35cc695552c3fd670539d6d702c92fd39ced33b736687170e6ae89fea001
                                  • Opcode Fuzzy Hash: bed30822d8b412ec699a3b9a35cd41ac24356ddcd856042d6b74b170edad765c
                                  • Instruction Fuzzy Hash: 5C21B171950209EFDB208F91EDC8ADABBBCEF45B08F008469E51696050DBB1EA64DF50
                                  Function 002A6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 002A6733
                                  • _memset.LIBCMT ref: 002A6754
                                  • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 002A67A6
                                  • CloseHandle.KERNEL32(00000000), ref: 002A67AF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CloseControlCreateDeviceFileHandle_memset
                                  • String ID:
                                  • API String ID: 1157408455-0
                                  • Opcode ID: bc132cb85e3b50114aea6daaa9b149fb1c23e3fb2fc7ab96ab08edbf4ca1936f
                                  • Instruction ID: 4594c161dc8424cb8685bd5d774db026184808d3568ec97e384650934fd8dd52
                                  • Opcode Fuzzy Hash: bc132cb85e3b50114aea6daaa9b149fb1c23e3fb2fc7ab96ab08edbf4ca1936f
                                  • Instruction Fuzzy Hash: 5C11E775D112287AE7205BA5AC8DFABBABCEF45724F10419AF504E71C0D7704E808B64
                                  Function 0029B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0029AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0029AA79
                                    • Part of subcall function 0029AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0029AA83
                                    • Part of subcall function 0029AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0029AA92
                                    • Part of subcall function 0029AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0029AA99
                                    • Part of subcall function 0029AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0029AAAF
                                  • GetLengthSid.ADVAPI32(?,00000000,0029ADE4,?,?), ref: 0029B21B
                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0029B227
                                  • HeapAlloc.KERNEL32(00000000), ref: 0029B22E
                                  • CopySid.ADVAPI32(?,00000000,?), ref: 0029B247
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                  • String ID:
                                  • API String ID: 4217664535-0
                                  • Opcode ID: ed9f4b2810f5c117b98e76b68493c3ac0e4792912ebcd12eb844a4e8144b6b05
                                  • Instruction ID: 7d6d31c6d02bb4489864096399d971fd532b588ef224ee68c177ac83e68e7540
                                  • Opcode Fuzzy Hash: ed9f4b2810f5c117b98e76b68493c3ac0e4792912ebcd12eb844a4e8144b6b05
                                  • Instruction Fuzzy Hash: 8611E071A10206FFCF159F98ED94AAEB7B9EF84308F24802DE942DB210D771AE54CB10
                                  Function 0029B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 0029B498
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0029B4AA
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0029B4C0
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0029B4DB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: a1df93c6621698bf96eadc55b8e31e95fe3f58820e312c89ae33c0120f881938
                                  • Instruction ID: 51e71fa6c8bf6a373cd96b941e1370f325470c1768450ffaf5320c00193e8e6f
                                  • Opcode Fuzzy Hash: a1df93c6621698bf96eadc55b8e31e95fe3f58820e312c89ae33c0120f881938
                                  • Instruction Fuzzy Hash: C1115A7A900218FFDF11DFA8D985E9DBBB8FB08700F2040A1E604B7290D771AE10EB94
                                  Function 0027B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027B34E: GetWindowLongW.USER32(?,000000EB), ref: 0027B35F
                                  • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0027B5A5
                                  • GetClientRect.USER32(?,?), ref: 002DE69A
                                  • GetCursorPos.USER32(?), ref: 002DE6A4
                                  • ScreenToClient.USER32(?,?), ref: 002DE6AF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Client$CursorLongProcRectScreenWindow
                                  • String ID:
                                  • API String ID: 4127811313-0
                                  • Opcode ID: 665ff958c744e5d9f6bf85fa249881a28eb0bb39d126602549b01b73beadb389
                                  • Instruction ID: 9b92281a2533bca5f9d8afd06362f6e65af22893ac5ffee1388208ed64313e2e
                                  • Opcode Fuzzy Hash: 665ff958c744e5d9f6bf85fa249881a28eb0bb39d126602549b01b73beadb389
                                  • Instruction Fuzzy Hash: EC11363191002ABFCF11EF98ED89AAE7BB8EB09304F414455F915EB140D374AAA5CBA1
                                  Function 002A732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 002A7352
                                  • MessageBoxW.USER32(?,?,?,?), ref: 002A7385
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 002A739B
                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 002A73A2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                  • String ID:
                                  • API String ID: 2880819207-0
                                  • Opcode ID: 96141cddff70786bbbf2e2a4c3daae3624323fb65d011035f817bccffbc11f71
                                  • Instruction ID: 9775d74cc972b73c5cfa1601e7cc7028b5a2d4dcf375268d4cc5e4a49aebc34a
                                  • Opcode Fuzzy Hash: 96141cddff70786bbbf2e2a4c3daae3624323fb65d011035f817bccffbc11f71
                                  • Instruction Fuzzy Hash: B8110872A14245EFCB029F68EC49A9E7BAD9B46310F144359FD25D32A1D6B08D108BA4
                                  Function 0027D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0027D1BA
                                  • GetStockObject.GDI32(00000011), ref: 0027D1CE
                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 0027D1D8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CreateMessageObjectSendStockWindow
                                  • String ID:
                                  • API String ID: 3970641297-0
                                  • Opcode ID: 3727af1fe3ed544cecea55446200be753dc5b10d50e794724d34d18df0b7de48
                                  • Instruction ID: 6258c63255ab274a3a5e3bed7b5ce934ce4765ebcf424e3af31ecb0d64e2ab72
                                  • Opcode Fuzzy Hash: 3727af1fe3ed544cecea55446200be753dc5b10d50e794724d34d18df0b7de48
                                  • Instruction Fuzzy Hash: 0B11AD7211154ABFEF124FA0AC94EEABB7DFF08365F448106FA0856150C771DC619BA0
                                  Function 00294DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                  • String ID:
                                  • API String ID: 3016257755-0
                                  • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                  • Instruction ID: 66a750194eb4b6b5309473bd47d2320ef5651d82cf5b7da5c7e085f7fc909315
                                  • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                  • Instruction Fuzzy Hash: 7401483202014EBBCF136E84DC11CEE3F22BB18354B598455FE6859031D336CAB2AB81
                                  Function 00287452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00287A0D: __getptd_noexit.LIBCMT ref: 00287A0E
                                  • __lock.LIBCMT ref: 0028748F
                                  • InterlockedDecrement.KERNEL32(?), ref: 002874AC
                                  • _free.LIBCMT ref: 002874BF
                                  • InterlockedIncrement.KERNEL32(01144D08), ref: 002874D7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                  • String ID:
                                  • API String ID: 2704283638-0
                                  • Opcode ID: b6624cc5b8af026988069bf708c19070d9cbd713b5ad236889e2b4a3ff9bc430
                                  • Instruction ID: d13a34689d97c84fc60fbb1aaf559c910625f06179ef6d8d32253ec8dc31680b
                                  • Opcode Fuzzy Hash: b6624cc5b8af026988069bf708c19070d9cbd713b5ad236889e2b4a3ff9bc430
                                  • Instruction Fuzzy Hash: 8901963E92FA129BD716BF64A40979DBB70BF48721F244005F424676D0C7349961CFD2
                                  Function 002CEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0027AFE3
                                    • Part of subcall function 0027AF83: SelectObject.GDI32(?,00000000), ref: 0027AFF2
                                    • Part of subcall function 0027AF83: BeginPath.GDI32(?), ref: 0027B009
                                    • Part of subcall function 0027AF83: SelectObject.GDI32(?,00000000), ref: 0027B033
                                  • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 002CEA8E
                                  • LineTo.GDI32(00000000,?,?), ref: 002CEA9B
                                  • EndPath.GDI32(00000000), ref: 002CEAAB
                                  • StrokePath.GDI32(00000000), ref: 002CEAB9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                  • String ID:
                                  • API String ID: 1539411459-0
                                  • Opcode ID: d5da67208a4fc85b9a9559345ad78c306cb8d7ac63fcf95c6c96bd9f8267747a
                                  • Instruction ID: bf16789d5ca6c829eb8ea2c255891dd641413acbf1f925c5d7c24db4b29cff26
                                  • Opcode Fuzzy Hash: d5da67208a4fc85b9a9559345ad78c306cb8d7ac63fcf95c6c96bd9f8267747a
                                  • Instruction Fuzzy Hash: 47F05E31045299BBDB229FA4ED0EFCE3F19AF1A321F184205FE11690E187755562CBD5
                                  Function 0029C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0029C84A
                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0029C85D
                                  • GetCurrentThreadId.KERNEL32 ref: 0029C864
                                  • AttachThreadInput.USER32(00000000), ref: 0029C86B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                  • String ID:
                                  • API String ID: 2710830443-0
                                  • Opcode ID: ef53fc8b29225163dd9f19286a8ab7d671856eb05671a1d0650996f96a96dcbc
                                  • Instruction ID: 4ec2685167caa413dc72b244e726f0d709731cd9985f95b448bcf85e95c61c50
                                  • Opcode Fuzzy Hash: ef53fc8b29225163dd9f19286a8ab7d671856eb05671a1d0650996f96a96dcbc
                                  • Instruction Fuzzy Hash: F9E039711812A8BADB211FA2BC4DEDB7F1CFF067A1F008021B60D88460C6B18591CBE0
                                  Function 0029B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentThread.KERNEL32 ref: 0029B0D6
                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,0029AC9D), ref: 0029B0DD
                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0029AC9D), ref: 0029B0EA
                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,0029AC9D), ref: 0029B0F1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CurrentOpenProcessThreadToken
                                  • String ID:
                                  • API String ID: 3974789173-0
                                  • Opcode ID: d22e47db70af259adc6c9f6b46c27dcb1dba9d5a32aa7122e016cda49b686259
                                  • Instruction ID: b09e2a8125e0a4d2425b4d2da627702adb1629ba8fb6abe80a034325e7346306
                                  • Opcode Fuzzy Hash: d22e47db70af259adc6c9f6b46c27dcb1dba9d5a32aa7122e016cda49b686259
                                  • Instruction Fuzzy Hash: 2BE086326412129BDB201FB2BD4CB473BA8EF55791F018828F241DE040DB349401CB60
                                  Function 0027B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSysColor.USER32(00000008), ref: 0027B496
                                  • SetTextColor.GDI32(?,000000FF), ref: 0027B4A0
                                  • SetBkMode.GDI32(?,00000001), ref: 0027B4B5
                                  • GetStockObject.GDI32(00000005), ref: 0027B4BD
                                  • GetWindowDC.USER32(?,00000000), ref: 002DDE2B
                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 002DDE38
                                  • GetPixel.GDI32(00000000,?,00000000), ref: 002DDE51
                                  • GetPixel.GDI32(00000000,00000000,?), ref: 002DDE6A
                                  • GetPixel.GDI32(00000000,?,?), ref: 002DDE8A
                                  • ReleaseDC.USER32(?,00000000), ref: 002DDE95
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                  • String ID:
                                  • API String ID: 1946975507-0
                                  • Opcode ID: 9e2efd5baf4cd4444a4e26cb61db39498ea2ebb35f597c9de28cc19840db23a6
                                  • Instruction ID: ab234d7c6c29d514f24e2afe79143d7c09cb559a15290c01abe51b405c503035
                                  • Opcode Fuzzy Hash: 9e2efd5baf4cd4444a4e26cb61db39498ea2ebb35f597c9de28cc19840db23a6
                                  • Instruction Fuzzy Hash: 1CE06D31150281AADF211F74BC4DBD83B11AB11335F00C266F6AD5C0E1C3B24990DB11
                                  Function 002DB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CapsDesktopDeviceReleaseWindow
                                  • String ID:
                                  • API String ID: 2889604237-0
                                  • Opcode ID: a41ca7c53e43a0767a15a2788e9c0936fe90fb02c58e8900580b8b82615685d4
                                  • Instruction ID: cf810be6b50c716f746db22cb3eac58c1c7f1a1b36cfb86e19cff669b2fb86e5
                                  • Opcode Fuzzy Hash: a41ca7c53e43a0767a15a2788e9c0936fe90fb02c58e8900580b8b82615685d4
                                  • Instruction Fuzzy Hash: E0E012B1550244EFEB015F70E88CA2E7BA8EB4C351F12C80AFD5E8B210CAB698408B50
                                  Function 0029B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0029B2DF
                                  • UnloadUserProfile.USERENV(?,?), ref: 0029B2EB
                                  • CloseHandle.KERNEL32(?), ref: 0029B2F4
                                  • CloseHandle.KERNEL32(?), ref: 0029B2FC
                                    • Part of subcall function 0029AB24: GetProcessHeap.KERNEL32(00000000,?,0029A848), ref: 0029AB2B
                                    • Part of subcall function 0029AB24: HeapFree.KERNEL32(00000000), ref: 0029AB32
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                  • String ID:
                                  • API String ID: 146765662-0
                                  • Opcode ID: c2718a03cc2c5a0faa4fec12768fa13a61d221dbd3c1ed8bd7999fcc10ef9bd7
                                  • Instruction ID: 8cc14ac1de10b7b30ee91bbc4dfebd9f2d1b2c3b4549a21d703a03907a7f6128
                                  • Opcode Fuzzy Hash: c2718a03cc2c5a0faa4fec12768fa13a61d221dbd3c1ed8bd7999fcc10ef9bd7
                                  • Instruction Fuzzy Hash: F1E0B63A144045BBCB012BA5EC4C859FBA6FF983213108221FA2585575CB33A871EF91
                                  Function 002DB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: CapsDesktopDeviceReleaseWindow
                                  • String ID:
                                  • API String ID: 2889604237-0
                                  • Opcode ID: 9154413193e6814409e45747e71059806c78c7738080c9a07a1ed9fd93b7e6b8
                                  • Instruction ID: de6ac8bf727bd4efb3c8abfd7cc54df19bf0ccb69b2c1e3ac268731c8cf5e59b
                                  • Opcode Fuzzy Hash: 9154413193e6814409e45747e71059806c78c7738080c9a07a1ed9fd93b7e6b8
                                  • Instruction Fuzzy Hash: 35E046B1540240EFDB015F70E88C62D7BA8EB4C350F12C80AF95E8B210CBBA98008F10
                                  Function 0029DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OleSetContainedObject.OLE32(?,00000001), ref: 0029DEAA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ContainedObject
                                  • String ID: AutoIt3GUI$Container
                                  • API String ID: 3565006973-3941886329
                                  • Opcode ID: 788e28f797deb7eba63cde230deaa2f93c2cb819f303b110c149f77d8313102f
                                  • Instruction ID: efaa31c2738673773c6c4a907122b3e8af86e5e1e0f86db5b558bad5c9b2c0d1
                                  • Opcode Fuzzy Hash: 788e28f797deb7eba63cde230deaa2f93c2cb819f303b110c149f77d8313102f
                                  • Instruction Fuzzy Hash: EB913874610602AFDB24CF64C885B6AB7F5BF49710F20846DF94ACB691DBB1E851CB60
                                  Function 002A290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: _wcscpy
                                  • String ID: I/-$I/-
                                  • API String ID: 3048848545-2223790524
                                  • Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                  • Instruction ID: 23415ecabd88ea0063cd8e98228c3009b379d043fa9472ffef383a371b321a29
                                  • Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                  • Instruction Fuzzy Hash: FF41B135920217EBCF25EF9CC4519FDB770EF4A710F64504AE881A7192DF705AAA8BA0
                                  Function 0027BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00000000), ref: 0027BCDA
                                  • GlobalMemoryStatusEx.KERNEL32 ref: 0027BCF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: GlobalMemorySleepStatus
                                  • String ID: @
                                  • API String ID: 2783356886-2766056989
                                  • Opcode ID: 1170d7cee35537616c7be94f18951cd038418edaf9372d80fccb3996d88c3e33
                                  • Instruction ID: a1cd9a4edba4c04bde141a5ade7365e3228aa1d8db179f736b567303371c6cca
                                  • Opcode Fuzzy Hash: 1170d7cee35537616c7be94f18951cd038418edaf9372d80fccb3996d88c3e33
                                  • Instruction Fuzzy Hash: 77513571418744DBE321AF14D886BAFBBECFF98354F41884EF2C8410A2DB7095AC8B52
                                  Function 002AC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002644ED: __fread_nolock.LIBCMT ref: 0026450B
                                  • _wcscmp.LIBCMT ref: 002AC65D
                                  • _wcscmp.LIBCMT ref: 002AC670
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: _wcscmp$__fread_nolock
                                  • String ID: FILE
                                  • API String ID: 4029003684-3121273764
                                  • Opcode ID: 006b7315c962c9138a221545d3709d915ef9d25c4e826349d763edd4edd9fc67
                                  • Instruction ID: f5defa089fde146e739ac66ade1d0789e3af61dcf86befc60948dd020404028d
                                  • Opcode Fuzzy Hash: 006b7315c962c9138a221545d3709d915ef9d25c4e826349d763edd4edd9fc67
                                  • Instruction Fuzzy Hash: 3041D876A1020ABBDF21EAA4DC42FEF77BD9F89714F000469F605E7181DB709A54CB91
                                  Function 002CA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 002CA85A
                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002CA86F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: '
                                  • API String ID: 3850602802-1997036262
                                  • Opcode ID: 8c906559f7d6124c45465a0adfc05012783abd1e2a7a27dd43d64b542941d6c5
                                  • Instruction ID: cb2ca3ab9e148bdab439ea6eca113f2c650653cd6d3366d5ed565cc998d26868
                                  • Opcode Fuzzy Hash: 8c906559f7d6124c45465a0adfc05012783abd1e2a7a27dd43d64b542941d6c5
                                  • Instruction Fuzzy Hash: 4141D774E1120A9FDB14CF64D981FDABBB9FB08304F14026AE905AB381D770A956CF91
                                  Function 002C975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                  Download Yara Rule
                                  APIs
                                  • DestroyWindow.USER32(?,?,?,?), ref: 002C980E
                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 002C984A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$DestroyMove
                                  • String ID: static
                                  • API String ID: 2139405536-2160076837
                                  • Opcode ID: f0e4e81adde4a740f3c292899a68d15e7ec76031686f5a8d1035e1d4b7ac54d8
                                  • Instruction ID: bcbf6416d1377ae9a0ac6ba5302707c01f0f758a0afe894c6babc155d4e75a2f
                                  • Opcode Fuzzy Hash: f0e4e81adde4a740f3c292899a68d15e7ec76031686f5a8d1035e1d4b7ac54d8
                                  • Instruction Fuzzy Hash: 2F316A71120605AAEB149F68DC85FFB73A9FF59760F00861DF9A987190CA31ACA5CB60
                                  Function 002A5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 002A51C6
                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002A5201
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: InfoItemMenu_memset
                                  • String ID: 0
                                  • API String ID: 2223754486-4108050209
                                  • Opcode ID: a6c3b57c97f103b0eb9e7cf56806cfb573e4f17389a65829ac120deb001f6d69
                                  • Instruction ID: d047e84581d2b968f35ce64d91203e112b6e70ff69dccf5a01dd630ccf163967
                                  • Opcode Fuzzy Hash: a6c3b57c97f103b0eb9e7cf56806cfb573e4f17389a65829ac120deb001f6d69
                                  • Instruction Fuzzy Hash: 3A312871620726DBEB24CF98D885BAFBBF4FF46350F144029ED85E61A0DBB49A54CB10
                                  Function 002B658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __snwprintf
                                  • String ID: , $$AUTOITCALLVARIABLE%d
                                  • API String ID: 2391506597-2584243854
                                  • Opcode ID: 8805c8885c2971fe399ac833c59b91d60cd637f9bcc0e5921b3132be1a8f2172
                                  • Instruction ID: ba855844bd8ce41c85c2bded9cc0ccbd3ad779fdb850b57e77f006f6d4d88b8c
                                  • Opcode Fuzzy Hash: 8805c8885c2971fe399ac833c59b91d60cd637f9bcc0e5921b3132be1a8f2172
                                  • Instruction Fuzzy Hash: 0821B671620218AFCF15EF64C885EED77B8AF49340F000469F405EB181DB78EAA5CFA1
                                  Function 002C93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002C945C
                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002C9467
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: Combobox
                                  • API String ID: 3850602802-2096851135
                                  • Opcode ID: 059381928f02fef403e97d58ab8dbe657f6ffc8140ef2c6abf0e08bd1da3bf96
                                  • Instruction ID: 092530dd27ccf24469c41930cb545af7d80eed8028a65f9d454e994209f04ce5
                                  • Opcode Fuzzy Hash: 059381928f02fef403e97d58ab8dbe657f6ffc8140ef2c6abf0e08bd1da3bf96
                                  • Instruction Fuzzy Hash: 2C11B2713202096FEF259F54DC84FBB376EEB483A4F104229F91897290D6719CA2CB60
                                  Function 002CDA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027B34E: GetWindowLongW.USER32(?,000000EB), ref: 0027B35F
                                  • GetActiveWindow.USER32 ref: 002CDA7B
                                  • EnumChildWindows.USER32(?,002CD75F,00000000), ref: 002CDAF5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$ActiveChildEnumLongWindows
                                  • String ID: T1+
                                  • API String ID: 3814560230-4262830476
                                  • Opcode ID: d3b578e643502bbf46fb6a6762e51fa48acaeaf00a9aba0f4cf02d8ae841fd9b
                                  • Instruction ID: 9b286b7641c2f50d2acab71af200d9caafca2fc1599576c436d3734bf842bcef
                                  • Opcode Fuzzy Hash: d3b578e643502bbf46fb6a6762e51fa48acaeaf00a9aba0f4cf02d8ae841fd9b
                                  • Instruction Fuzzy Hash: 8D21F879214201DBC725DF28E954BAAB7E9EF59320F25072DE96A873E0D730A851CF60
                                  Function 002C98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0027D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0027D1BA
                                    • Part of subcall function 0027D17C: GetStockObject.GDI32(00000011), ref: 0027D1CE
                                    • Part of subcall function 0027D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0027D1D8
                                  • GetWindowRect.USER32(00000000,?), ref: 002C9968
                                  • GetSysColor.USER32(00000012), ref: 002C9982
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                  • String ID: static
                                  • API String ID: 1983116058-2160076837
                                  • Opcode ID: 69527578c08d304e0b591edd24259fdd7798d4ed1dd3666a41f293e7ada438d8
                                  • Instruction ID: 6cd8635cd386361e76621641a2f335d5225f9821687da3021658083173d3e4dd
                                  • Opcode Fuzzy Hash: 69527578c08d304e0b591edd24259fdd7798d4ed1dd3666a41f293e7ada438d8
                                  • Instruction Fuzzy Hash: 5611147252020AAFDB05DFB8C849EEA7BA8EB08354F01462CF955E2250E675E861DB60
                                  Function 002C9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowTextLengthW.USER32(00000000), ref: 002C9699
                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002C96A8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: LengthMessageSendTextWindow
                                  • String ID: edit
                                  • API String ID: 2978978980-2167791130
                                  • Opcode ID: adff9d1bdc85ef4a5bf7586ace032346bf47de2ff2494d5b7cdc0fec9500982c
                                  • Instruction ID: 93ab978fecd0634cf05c2bd41c99faf57ed244cdb6f8969ccb16807d75b43191
                                  • Opcode Fuzzy Hash: adff9d1bdc85ef4a5bf7586ace032346bf47de2ff2494d5b7cdc0fec9500982c
                                  • Instruction Fuzzy Hash: DB115B71520109AAEB115F64AC88FAB376EEB05378F604718F965971E0C671DCA19B60
                                  Function 002A5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 002A52D5
                                  • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 002A52F4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: InfoItemMenu_memset
                                  • String ID: 0
                                  • API String ID: 2223754486-4108050209
                                  • Opcode ID: 9720a0e25cffc7fef212450d2048effe0a8a00434e9deb8c2395441ca3b97507
                                  • Instruction ID: a713745e41ba2e37cf7241715675f270c3ee456e4f960e0cbdcae652884440da
                                  • Opcode Fuzzy Hash: 9720a0e25cffc7fef212450d2048effe0a8a00434e9deb8c2395441ca3b97507
                                  • Instruction Fuzzy Hash: A9110072D21625ABDF21DEA8D944B9F77A8AF86350F050065E901E7290DBB0ED15CB90
                                  Function 002B4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 002B4DF5
                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 002B4E1E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Internet$OpenOption
                                  • String ID: <local>
                                  • API String ID: 942729171-4266983199
                                  • Opcode ID: 82b116bcf0ecaa202c48f47001202ef5cc573abf253e73a61843acbcbe060893
                                  • Instruction ID: 301869a5cccf4a3d7af34aded412f57fa6a06fd7ddc819d665ceca3d30f6e99d
                                  • Opcode Fuzzy Hash: 82b116bcf0ecaa202c48f47001202ef5cc573abf253e73a61843acbcbe060893
                                  • Instruction Fuzzy Hash: 2611A070521222BBDB259F51C8C9EFBFAA8FF06795F10822AF51556141D3B09960C6E0
                                  Function 0028A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 002937A7
                                  • ___raise_securityfailure.LIBCMT ref: 0029388E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: FeaturePresentProcessor___raise_securityfailure
                                  • String ID: (2
                                  • API String ID: 3761405300-3026641287
                                  • Opcode ID: 295d4c0f8c1a1bc18aa5640618a176463663c4c901212bad9228c703884170a7
                                  • Instruction ID: 8a6a575fe5d3b39b17d2ca50ffb8895591ea24b718a6bcad52a3548969b476c6
                                  • Opcode Fuzzy Hash: 295d4c0f8c1a1bc18aa5640618a176463663c4c901212bad9228c703884170a7
                                  • Instruction Fuzzy Hash: 752145B4512B04CFD72ADF64FA95650BBB8BB08310F11982EE504877A2E3F069CACF45
                                  Function 002BA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 002BA84E
                                  • htons.WSOCK32(00000000,?,00000000), ref: 002BA88B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: htonsinet_addr
                                  • String ID: 255.255.255.255
                                  • API String ID: 3832099526-2422070025
                                  • Opcode ID: 38855aeb0c185d65408cd1414db803f5ac32d930821b371ad7992218d80d49f8
                                  • Instruction ID: 1d33a876a553adc3aa5313c8f8823f70653cd04fd5931b5eccbcc5340fe425b9
                                  • Opcode Fuzzy Hash: 38855aeb0c185d65408cd1414db803f5ac32d930821b371ad7992218d80d49f8
                                  • Instruction Fuzzy Hash: 8F01F575210305ABCB11AF68D88AFEDB364FF45354F20842AF6169B7D1D771E821CB52
                                  Function 0029B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0029B7EF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 3850602802-1403004172
                                  • Opcode ID: 55a3cc937b62f6e631efb620d4dcabbba2e89c5448f35be29b3445b842dc1458
                                  • Instruction ID: 27d09144273ca6ad9fa725054025ada7c270b04915a35ca4df4842ebd36f557d
                                  • Opcode Fuzzy Hash: 55a3cc937b62f6e631efb620d4dcabbba2e89c5448f35be29b3445b842dc1458
                                  • Instruction Fuzzy Hash: 420124B1660114ABCF09FFA4DC429FE7379BF09310B10061CF4A2672D2EFB058288B90
                                  Function 0029B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 0029B6EB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 3850602802-1403004172
                                  • Opcode ID: c05445f3dda2b6d5d8bf7e80edc27d40e81b1b076fc3b0238f270060e7e74ddc
                                  • Instruction ID: bbad807f4385a0a1e7d29a6c48ffe68a18c4d32e4026c5602b3cc0c5be2e459f
                                  • Opcode Fuzzy Hash: c05445f3dda2b6d5d8bf7e80edc27d40e81b1b076fc3b0238f270060e7e74ddc
                                  • Instruction Fuzzy Hash: FA0184B1661004ABCF09FBA4DA52AFF73AC9F05344B10002DB44263281DB946E389BA5
                                  Function 0029B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 0029B76C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 3850602802-1403004172
                                  • Opcode ID: 45d40fd7a64a9fee63291ae97d903aab70e5d8d518867f8227bf2b8b8e2d19ca
                                  • Instruction ID: 8183734a0b60d6e5c735c8ff790a29cb0e5a26a204c81fb7a3927991ee5db922
                                  • Opcode Fuzzy Hash: 45d40fd7a64a9fee63291ae97d903aab70e5d8d518867f8227bf2b8b8e2d19ca
                                  • Instruction Fuzzy Hash: 1701D6B2660104ABCF05FBA4EA42EFF73AC9F05344F600119B441B3292DBA55E799BB5
                                  Function 00284D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: __calloc_crt
                                  • String ID: "2
                                  • API String ID: 3494438863-2337571644
                                  • Opcode ID: 25439dd2677f8a7160a0a67708216cc6ade5ffceb86c21aff12d8fcaa08f5043
                                  • Instruction ID: 08925a7c659b0ba7ab9ff7d876570fe57b26785cdacecbaa7b95f5de15cf8ea3
                                  • Opcode Fuzzy Hash: 25439dd2677f8a7160a0a67708216cc6ade5ffceb86c21aff12d8fcaa08f5043
                                  • Instruction Fuzzy Hash: 16F0817922A703ABE766BF19BC41BA66BD8A704721F10091EF200CA2C4E77188934B94
                                  Function 00264024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadImageW.USER32(00260000,00000063,00000001,00000010,00000010,00000000), ref: 00264048
                                  • EnumResourceNamesW.KERNEL32(00000000,0000000E,002A67E9,00000063,00000000,75A90280,?,?,00263EE1,?,?,000000FF), ref: 002D41B3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: EnumImageLoadNamesResource
                                  • String ID: >&
                                  • API String ID: 1578290342-2012809756
                                  • Opcode ID: 1b77328a91345d5dbf588ffd285f9518b0a1d8d19d14c8a6863f2e4ef30ac31d
                                  • Instruction ID: a02696e9eb79df9850414b12a6acc1d5d806a1cdaf5852c5aa7831e56abda434
                                  • Opcode Fuzzy Hash: 1b77328a91345d5dbf588ffd285f9518b0a1d8d19d14c8a6863f2e4ef30ac31d
                                  • Instruction Fuzzy Hash: E6F09031650365B7E2305F1ABD4AFD23FADE725BB5F10410AF714AA1D0D3F094E18A94
                                  Function 002A7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: ClassName_wcscmp
                                  • String ID: #32770
                                  • API String ID: 2292705959-463685578
                                  • Opcode ID: e89401f197ba07e9767f4b7fea9e4194366a46bbc3904f8e707f5b00e0808420
                                  • Instruction ID: c6068630023625ac0ff3c674bb04e76bf6a067895146c769b1a969ffe5dfed34
                                  • Opcode Fuzzy Hash: e89401f197ba07e9767f4b7fea9e4194366a46bbc3904f8e707f5b00e0808420
                                  • Instruction Fuzzy Hash: F1E0D87B6043252BDB20EBA5EC49ED7FBACEB55760F00005AF915D3081D674E75187D4
                                  Function 0029A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0029A63F
                                    • Part of subcall function 002813F1: _doexit.LIBCMT ref: 002813FB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: Message_doexit
                                  • String ID: AutoIt$Error allocating memory.
                                  • API String ID: 1993061046-4017498283
                                  • Opcode ID: 7cb81515b75c0198b6c4342253f04da544081e4cea214a13f9e2b8fe5498dde6
                                  • Instruction ID: 283ba3cb6f916353586eb0b50d6754aa376619e255eb63a454f1021415bbe18d
                                  • Opcode Fuzzy Hash: 7cb81515b75c0198b6c4342253f04da544081e4cea214a13f9e2b8fe5498dde6
                                  • Instruction Fuzzy Hash: C0D02B313D432833C2153AAC7C0BFC9764C8B05B91F040021FB0C995C249E2C6B002D9
                                  Function 002DAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemDirectoryW.KERNEL32(?), ref: 002DACC0
                                  • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 002DAEBD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: DirectoryFreeLibrarySystem
                                  • String ID: WIN_XPe
                                  • API String ID: 510247158-3257408948
                                  • Opcode ID: 108fb1e76ed014eb1ac411f632fa8e25410fbfcc0b0b3c8917d4a0ef9f1686de
                                  • Instruction ID: 37f5e6a9b3e53da0a43ac6b07156dbd0c453f3ea892b9084031c3acf2e683e41
                                  • Opcode Fuzzy Hash: 108fb1e76ed014eb1ac411f632fa8e25410fbfcc0b0b3c8917d4a0ef9f1686de
                                  • Instruction Fuzzy Hash: 82E0C971C30549EFDB11DFA5E988DECB7B8AB48301F148087E516B6260DB705E94DF26
                                  Function 002C8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002C86A2
                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 002C86B5
                                    • Part of subcall function 002A7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 002A7AD0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: FindMessagePostSleepWindow
                                  • String ID: Shell_TrayWnd
                                  • API String ID: 529655941-2988720461
                                  • Opcode ID: 23899362962909984a108a5130a19b9dc7d710c5c0dac69486b17b24006e69ea
                                  • Instruction ID: fa61d325b82f69abb2041b71c4e72e7d72c2687c1687e62ce9c6d174bdfa72a8
                                  • Opcode Fuzzy Hash: 23899362962909984a108a5130a19b9dc7d710c5c0dac69486b17b24006e69ea
                                  • Instruction Fuzzy Hash: D0D012313D5354B7E6686770BC4FFC67A189B05B11F110815F749AE1D1C9F0E950CB58
                                  Function 002C86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002C86E2
                                  • PostMessageW.USER32(00000000), ref: 002C86E9
                                    • Part of subcall function 002A7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 002A7AD0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2063253579.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                                  • Associated: 00000000.00000002.2063220202.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.00000000002ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063315668.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063362346.000000000031A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000324000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2063378854.0000000000357000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_260000_EKSTRE_1022.jbxd
                                  Similarity
                                  • API ID: FindMessagePostSleepWindow
                                  • String ID: Shell_TrayWnd
                                  • API String ID: 529655941-2988720461
                                  • Opcode ID: e547f2a82b483f7a4c21e7a6c6c7e1ce6482bfa4acbd88b9f7a72a2c194758d2
                                  • Instruction ID: fae48131479aa4c2cbbe7f0fc2914f5cde3dde681ef9afb6fdea61f67020db07
                                  • Opcode Fuzzy Hash: e547f2a82b483f7a4c21e7a6c6c7e1ce6482bfa4acbd88b9f7a72a2c194758d2
                                  • Instruction Fuzzy Hash: 71D0C9313C53547BE6696770AC4FFC66A189B09B11F510815B645AE1D1C9A0A9508A58